SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phoenix_locker (Back to overview)

Phoenix Locker

VTCollection    

There is no description at this point.

References
2022-06-13Jorge TestaJorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02-01Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
Yara Rules
[TLP:WHITE] win_phoenix_locker_auto (20230808 | Detects win.phoenix_locker.)
rule win_phoenix_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.phoenix_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 480fabc8 48ffc8 4180d05d 488d542420 488b01 66442bc4 }
            // n = 6, score = 200
            //   480fabc8             | push                ebx
            //   48ffc8               | inc                 eax
            //   4180d05d             | dec                 dh
            //   488d542420           | inc                 ecx
            //   488b01               | push                esi
            //   66442bc4             | test                sp, 0x3ffc

        $sequence_1 = { b91d692dbc 4d0f45e7 4533c9 e8???????? 4c8b6c2438 4c8d442440 413bc7 }
            // n = 7, score = 200
            //   b91d692dbc           | mov                 dword ptr [esi + eax*2], ebp
            //   4d0f45e7             | dec                 eax
            //   4533c9               | mov                 ebx, dword ptr [esp + 0x40]
            //   e8????????           |                     
            //   4c8b6c2438           | test                di, 0x411
            //   4c8d442440           | inc                 ebp
            //   413bc7               | sbb                 ah, bl

        $sequence_2 = { 6681942400000000c64d 66c18c2400000000d9 66c184240000000074 e8???????? e2ac 1234ca 99 }
            // n = 7, score = 200
            //   6681942400000000c64d     | dec    eax
            //   66c18c2400000000d9     | add    edx, 0x391f5fe5
            //   66c184240000000074     | inc    esp
            //   e8????????           |                     
            //   e2ac                 | xor                 eax, ecx
            //   1234ca               | shl                 dh, cl
            //   99                   | sub                 cl, 0xbb

        $sequence_3 = { 4d8d8424b602a3ea 660fbeca 488bcb e9???????? e8???????? 8bd5 498d8c1cb602a3ea }
            // n = 7, score = 200
            //   4d8d8424b602a3ea     | dec                 eax
            //   660fbeca             | cwde                
            //   488bcb               | bswap               ax
            //   e9????????           |                     
            //   e8????????           |                     
            //   8bd5                 | inc                 cx
            //   498d8c1cb602a3ea     | movsx               eax, al

        $sequence_4 = { e9???????? ff15???????? 33c9 4180fa13 3bc1 0f8417000000 488b4c2468 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   ff15????????         |                     
            //   33c9                 | dec                 ecx
            //   4180fa13             | mov                 edx, ecx
            //   3bc1                 | btr                 ebx, esp
            //   0f8417000000         | or                  bh, 0xc3
            //   488b4c2468           | dec                 ecx

        $sequence_5 = { 68d30f1c2f 4881842430000000bd5eeb17 66c1bc245800000025 4159 415f 4159 4159 }
            // n = 7, score = 200
            //   68d30f1c2f           | adc                 cx, 0x2de5
            //   4881842430000000bd5eeb17     | dec    ecx
            //   66c1bc245800000025     | mov    ebx, 0x9414a9a
            //   4159                 | push                ecx
            //   415f                 | outsd               dx, dword ptr [esi]
            //   4159                 | fstp                dword ptr [eax + ecx*2]
            //   4159                 | add                 dword ptr [esp + 8], 0xffe72f8e

        $sequence_6 = { 0f8539000000 8d4d39 664181d42122 f9 8d455b 4d63e0 }
            // n = 6, score = 200
            //   0f8539000000         | inc                 ebp
            //   8d4d39               | cmp                 al, ah
            //   664181d42122         | push                edi
            //   f9                   | inc                 eax
            //   8d455b               | adc                 bh, ch
            //   4d63e0               | xor                 dword ptr [esp], esi

        $sequence_7 = { 68d701373c 48818424080000003feaebff 55 c0e254 5a 5a c3 }
            // n = 7, score = 200
            //   68d701373c           | inc                 ecx
            //   48818424080000003feaebff     | test    dl, 0x38
            //   55                   | inc                 ebp
            //   c0e254               | mov                 ebx, dword ptr [ebx]
            //   5a                   | inc                 ecx
            //   5a                   | or                  al, 0x85
            //   c3                   | inc                 cx

        $sequence_8 = { e8???????? 4881842418000000aa78f72a 488b7c2428 48c74424281256ce88 68d72a8642 48c1a42400000000ef 689b25ad02 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4881842418000000aa78f72a     | dec    edi
            //   488b7c2428           | shl                 ebx, 2
            //   48c74424281256ce88     | add    eax, -2
            //   68d72a8642           | test                ebx, 0xc0000000
            //   48c1a42400000000ef     | je    0x2b7
            //   689b25ad02           | test                eax, eax

        $sequence_9 = { e8???????? 4155 4151 9c 49b98059c32d64378851 e8???????? 4c0fbbea }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4155                 | rol                 ecx, 8
            //   4151                 | and                 ecx, esi
            //   9c                   | or                  eax, ecx
            //   49b98059c32d64378851     | ror    eax, 8
            //   e8????????           |                     
            //   4c0fbbea             | inc                 cx

    condition:
        7 of them and filesize < 3702784
}
Download all Yara Rules