SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phoenix_locker (Back to overview)

Phoenix Locker


There is no description at this point.

References
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
@techreport{pirozzi:202202:sanctions:2213742, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp}}, date = {2022-02}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf}, language = {English}, urldate = {2022-05-17} } Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
Yara Rules
[TLP:WHITE] win_phoenix_locker_auto (20221125 | Detects win.phoenix_locker.)
rule win_phoenix_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.phoenix_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d8943c0 f9 452bc9 41f6c307 33d2 f8 452bc0 }
            // n = 7, score = 200
            //   4d8943c0             | dec                 edx
            //   f9                   | add                 dword ptr [esp + edi - 0x181f0533], 0x4e5d62fc
            //   452bc9               | inc                 ecx
            //   41f6c307             | push                ebx
            //   33d2                 | push                0x2b7c51cc
            //   f8                   | inc                 ecx
            //   452bc0               | pop                 ebx

        $sequence_1 = { 493bc7 e9???????? 0f8422020000 4c8bc3 660fbae1c9 d3e9 2bd2 }
            // n = 7, score = 200
            //   493bc7               | dec                 eax
            //   e9????????           |                     
            //   0f8422020000         | lea                 ecx, [0xffe55ecc]
            //   4c8bc3               | dec                 ebp
            //   660fbae1c9           | bsr                 eax, edx
            //   d3e9                 | dec                 ebp
            //   2bd2                 | xor                 eax, ebx

        $sequence_2 = { 2bd2 e9???????? ff15???????? 3d02010000 e9???????? 0f8579010000 }
            // n = 6, score = 200
            //   2bd2                 | mov                 bh, 0xb1
            //   e9????????           |                     
            //   ff15????????         |                     
            //   3d02010000           | je                  0x11a
            //   e9????????           |                     
            //   0f8579010000         | mov                 esp, 0x2a51d615

        $sequence_3 = { 4881842408000000e844c00a 4152 58 58 58 58 58 }
            // n = 7, score = 200
            //   4881842408000000e844c00a     | inc    ebp
            //   4152                 | movzx               eax, sp
            //   58                   | dec                 esp
            //   58                   | lea                 eax, [eax - 0x80]
            //   58                   | dec                 eax
            //   58                   | movzx               edx, bx
            //   58                   | dec                 ecx

        $sequence_4 = { 85c0 e9???????? 8be8 41b84b3eb52e 6641f7d0 4c0fb7c3 }
            // n = 6, score = 200
            //   85c0                 | arpl                di, di
            //   e9????????           |                     
            //   8be8                 | dec                 eax
            //   41b84b3eb52e         | mov                 ecx, edx
            //   6641f7d0             | dec                 eax
            //   4c0fb7c3             | mov                 edi, esp

        $sequence_5 = { 451ac6 66450fbec0 448bca 41f6de 41d3f5 664181d81846 4c8bc1 }
            // n = 7, score = 200
            //   451ac6               | inc                 ebp
            //   66450fbec0           | or                  bl, bh
            //   448bca               | sub                 eax, edx
            //   41f6de               | inc                 bp
            //   41d3f5               | movsx               ebx, bh
            //   664181d81846         | inc                 ebp
            //   4c8bc1               | add                 edx, esp

        $sequence_6 = { 4153 4152 66bf305c 660fabe2 4157 66410fbef5 0fbfef }
            // n = 7, score = 200
            //   4153                 | cmp                 dh, byte ptr [ebx + 1]
            //   4152                 | cwde                
            //   66bf305c             | cld                 
            //   660fabe2             | lodsb               al, byte ptr [esi]
            //   4157                 | stc                 
            //   66410fbef5           | or                  dword ptr [edx + ecx*2 + 0xe], 0xb015817e
            //   0fbfef               | cmp                 esi, -0x64

        $sequence_7 = { 410f95c4 448be2 41f6d6 6699 448db66e02a3ee 66400fb6de 6699 }
            // n = 7, score = 200
            //   410f95c4             | bswap               eax
            //   448be2               | dec                 ebp
            //   41f6d6               | cmova               eax, edx
            //   6699                 | inc                 ecx
            //   448db66e02a3ee       | mov                 eax, 0x60c
            //   66400fb6de           | dec                 eax
            //   6699                 | lea                 ecx, [esp + 0x40]

        $sequence_8 = { 4923c2 4803c1 488d8424c8000000 413ad3 c7442430f8ff0000 f9 4881fa7640471f }
            // n = 7, score = 200
            //   4923c2               | dec                 eax
            //   4803c1               | mov                 ecx, dword ptr [esp + 0x20]
            //   488d8424c8000000     | mov                 dword ptr [esp + 0x18], 0x27857414
            //   413ad3               | jecxz               0x7c7
            //   c7442430f8ff0000     | test                byte ptr [ecx], 0xef
            //   f9                   | stosd               dword ptr es:[edi], eax
            //   4881fa7640471f       | dec                 eax

        $sequence_9 = { 443303 480fbafae8 80de0c 4133c0 66d3f2 6687d2 c0d21b }
            // n = 7, score = 200
            //   443303               | inc                 ecx
            //   480fbafae8           | rcl                 ch, 0x70
            //   80de0c               | dec                 ecx
            //   4133c0               | xor                 eax, 0x492441ff
            //   66d3f2               | dec                 eax
            //   6687d2               | sub                 esp, 0x30
            //   c0d21b               | inc                 ebp

    condition:
        7 of them and filesize < 3702784
}
Download all Yara Rules