SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phoenix_locker (Back to overview)

Phoenix Locker


There is no description at this point.

References
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
@techreport{pirozzi:202202:sanctions:2213742, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp}}, date = {2022-02}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf}, language = {English}, urldate = {2022-05-17} } Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
Yara Rules
[TLP:WHITE] win_phoenix_locker_auto (20230125 | Detects win.phoenix_locker.)
rule win_phoenix_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.phoenix_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d8943c0 f9 452bc9 41f6c307 33d2 f8 452bc0 }
            // n = 7, score = 200
            //   4d8943c0             | cmovl               eax, edx
            //   f9                   | inc                 ebp
            //   452bc9               | mov                 eax, edi
            //   41f6c307             | call                dword ptr [eax + 0x20]
            //   33d2                 | dec                 eax
            //   f8                   | mov                 ecx, dword ptr [esp + 0x28]
            //   452bc0               | inc                 cx

        $sequence_1 = { 493bc7 e9???????? 0f8422020000 4c8bc3 660fbae1c9 d3e9 2bd2 }
            // n = 7, score = 200
            //   493bc7               | sbb                 ecx, 0x42e60787
            //   e9????????           |                     
            //   0f8422020000         | dec                 eax
            //   4c8bc3               | mov                 dword ptr [esp + 0x28], eax
            //   660fbae1c9           | inc                 ecx
            //   d3e9                 | lea                 edx, [esi - 0x155cfd4a]
            //   2bd2                 | dec                 eax

        $sequence_2 = { 23cd 4433c1 46330493 66410fb6ca 49ffc2 453341d0 408ace }
            // n = 7, score = 200
            //   23cd                 | movsd               dword ptr es:[edi], dword ptr [esi]
            //   4433c1               | neg                 word ptr [esp + 8]
            //   46330493             | dec                 eax
            //   66410fb6ca           | lea                 esp, [esp + 0x18]
            //   49ffc2               | popfd               
            //   453341d0             | rol                 dword ptr [eax + 4], cl
            //   408ace               | push                0x3db10401

        $sequence_3 = { 488d642410 9d e8???????? 72b7 28ce e659 }
            // n = 6, score = 200
            //   488d642410           | pop                 ebx
            //   9d                   | inc                 ecx
            //   e8????????           |                     
            //   72b7                 | pop                 ebp
            //   28ce                 | inc                 ecx
            //   e659                 | pop                 ebx

        $sequence_4 = { 4533c9 e8???????? 488b7c2440 4c8d4668 413bc7 488bd5 b9fcf772cf }
            // n = 7, score = 200
            //   4533c9               | inc                 ecx
            //   e8????????           |                     
            //   488b7c2440           | test                bl, 0xa2
            //   4c8d4668             | cmp                 ecx, 0x38
            //   413bc7               | setns               cl
            //   488bd5               | dec                 eax
            //   b9fcf772cf           | lea                 ecx, [esp + 0x20]

        $sequence_5 = { 41a5 ec b5a5 4168110a73be f1 b85c62bee8 c19d84414078e7 }
            // n = 7, score = 200
            //   41a5                 | inc                 esp
            //   ec                   | movsx               eax, bp
            //   b5a5                 | je                  0x26c
            //   4168110a73be         | mov                 eax, esi
            //   f1                   | dec                 ecx
            //   b85c62bee8           | arpl                bp, dx
            //   c19d84414078e7       | dec                 eax

        $sequence_6 = { 55 77be e4ed de9741940cd5 8b4157 6f }
            // n = 6, score = 200
            //   55                   | not                 esp
            //   77be                 | inc                 bp
            //   e4ed                 | movzx               esp, cl
            //   de9741940cd5         | inc                 ecx
            //   8b4157               | setae               ah
            //   6f                   | inc                 ecx

        $sequence_7 = { e9???????? bb08000000 6681d10112 66d3e1 4d0fbfc4 488b0de3e5e4ff 41d2e8 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   bb08000000           | inc                 ebp
            //   6681d10112           | movzx               ecx, bx
            //   66d3e1               | inc                 sp
            //   4d0fbfc4             | movsx               ecx, ch
            //   488b0de3e5e4ff       | inc                 ecx
            //   41d2e8               | mov                 ecx, 0xffffffff

        $sequence_8 = { 66c78424080000004377 6681a42408000000320c 4155 0f86dbffffff 68ff5b1158 66819c24180000006453 415d }
            // n = 7, score = 200
            //   66c78424080000004377     | mov    edx, esp
            //   6681a42408000000320c     | dec    eax
            //   4155                 | mov                 ecx, 0x100
            //   0f86dbffffff         | add                 byte ptr [eax], al
            //   68ff5b1158           | add                 byte ptr [eax], al
            //   66819c24180000006453     | inc    esp
            //   415d                 | xchg                bh, cl

        $sequence_9 = { 49c1ffe0 68a700674d 490fbae768 f9 664281bc7c16256793563e 41c1e7a7 }
            // n = 6, score = 200
            //   49c1ffe0             | xor                 ecx, eax
            //   68a700674d           | inc                 ecx
            //   490fbae768           | mov                 dword ptr [ecx + 0x14], eax
            //   f9                   | sal                 eax, 0x5a
            //   664281bc7c16256793563e     | inc    ecx
            //   41c1e7a7             | mov                 dword ptr [ecx + 0x18], ecx

    condition:
        7 of them and filesize < 3702784
}
Download all Yara Rules