SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phoenix_locker (Back to overview)

Phoenix Locker

There is no description at this point.

References
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
@techreport{pirozzi:202202:sanctions:2213742, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp}}, date = {2022-02}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf}, language = {English}, urldate = {2022-05-17} } Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
Yara Rules
[TLP:WHITE] win_phoenix_locker_auto (20230715 | Detects win.phoenix_locker.)
rule win_phoenix_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.phoenix_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bcf e9???????? 66448938 e8???????? 8bd8 f9 }
            // n = 6, score = 200
            //   488bcf               | dec                 esp
            //   e9????????           |                     
            //   66448938             | mov                 ecx, ebp
            //   e8????????           |                     
            //   8bd8                 | inc                 esp
            //   f9                   | movsx               eax, di

        $sequence_1 = { 66440fa4c8a4 488b01 4533c9 458bc7 ff5020 488d5f02 493bfe }
            // n = 7, score = 200
            //   66440fa4c8a4         | mov                 ecx, dword ptr [eax + 0x50]
            //   488b01               | inc                 esp
            //   4533c9               | test                al, dl
            //   458bc7               | dec                 eax
            //   ff5020               | mov                 eax, dword ptr [esp + 0x40]
            //   488d5f02             | dec                 eax
            //   493bfe               | cwde                

        $sequence_2 = { 450fbfc5 488d4c2460 480fb7d2 448d866e03a3ea 99 }
            // n = 5, score = 200
            //   450fbfc5             | dec                 eax
            //   488d4c2460           | movsx               ecx, bp
            //   480fb7d2             | dec                 ebp
            //   448d866e03a3ea       | movzx               ecx, dx
            //   99                   | inc                 ecx

        $sequence_3 = { f5 488d0c4e 40f6c464 e9???????? 4d03c0 e9???????? }
            // n = 6, score = 200
            //   f5                   | and                 al, 0x7b
            //   488d0c4e             | mov                 edi, 8
            //   40f6c464             | inc                 ecx
            //   e9????????           |                     
            //   4d03c0               | rcr                 ch, 0x1b
            //   e9????????           |                     

        $sequence_4 = { e9???????? e8???????? 488b2d83cfe4ff 6685f0 493bc6 2bd2 f5 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   e8????????           |                     
            //   488b2d83cfe4ff       | dec                 ecx
            //   6685f0               | mov                 esi, dword ptr [ebx + 0x18]
            //   493bc6               | inc                 eax
            //   2bd2                 | not                 bh
            //   f5                   | inc                 ecx

        $sequence_5 = { e8???????? d15301 1006 0010 640900 103406 0010 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   d15301               | inc                 ecx
            //   1006                 | pop                 esp
            //   0010                 | pop                 edi
            //   640900               | pop                 edi
            //   103406               | dec                 eax
            //   0010                 | lea                 esp, [esp + 8]

        $sequence_6 = { 0f8441010000 418bbf84000000 41c0f875 40f6c621 458b8788000000 413bfb e9???????? }
            // n = 7, score = 200
            //   0f8441010000         | push                0x6798296c
            //   418bbf84000000       | inc                 ecx
            //   41c0f875             | push                ebx
            //   40f6c621             | sar                 word ptr [esp + 0x20], 1
            //   458b8788000000       | cmc                 
            //   413bfb               | dec                 esp
            //   e9????????           |                     

        $sequence_7 = { 4885c9 450fc0d2 312c24 4512d0 664181f26070 }
            // n = 5, score = 200
            //   4885c9               | add                 esp, dword ptr [ebx - 0x145f1a25]
            //   450fc0d2             | and                 bh, byte ptr [edi + 0x36]
            //   312c24               | dec                 esi
            //   4512d0               | add                 byte ptr [eax], al
            //   664181f26070         | add                 bl, ah

        $sequence_8 = { 4151 410fbaf9cc 66440f42cb 4180f130 312c24 664533cd 440bcb }
            // n = 7, score = 200
            //   4151                 | fstp                dword ptr [ebx]
            //   410fbaf9cc           | mov                 al, 0x70
            //   66440f42cb           | fidiv               word ptr [eax + 0x5aade0c5]
            //   4180f130             | jnp                 0xffffffcd
            //   312c24               | add                 cl, bl
            //   664533cd             | jb                  0x16
            //   440bcb               | cvtps2pd            xmm7, xmm4

        $sequence_9 = { e8???????? 4155 4151 9c 49b98059c32d64378851 e8???????? 4c0fbbea }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4155                 | pop                 ecx
            //   4151                 | pop                 ecx
            //   9c                   | pop                 edi
            //   49b98059c32d64378851     | pop    edi
            //   e8????????           |                     
            //   4c0fbbea             | ret                 

    condition:
        7 of them and filesize < 3702784
}
Download all Yara Rules