SYMBOLCOMMON_NAMEaka. SYNONYMS
win.robinhood (Back to overview)

RobinHood

aka: RobbinHood

There is no description at this point.

References
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-06SophosAndrew Brandt, Mark Loman
@online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } Living off another land: Ransomware borrows vulnerable driver to remove security software
RobinHood
2020-02-06Bleeping ComputerLawrence Abrams
@online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } Ransomware Exploits GIGABYTE Driver to Kill AV Processes
RobinHood
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-07-01GoggleHeadedHacker BlogJacob Pimental
@online{pimental:20190701:robbinhood:2e0e1fe, author = {Jacob Pimental}, title = {{Robbinhood Malware Analysis with Radare2}}, date = {2019-07-01}, organization = {GoggleHeadedHacker Blog}, url = {https://goggleheadedhacker.com/blog/post/12}, language = {English}, urldate = {2020-01-13} } Robbinhood Malware Analysis with Radare2
RobinHood
2019-06-03Brian Krebs
@online{krebs:20190603:report:e065d06, author = {Brian Krebs}, title = {{Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware}}, date = {2019-06-03}, url = {https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/}, language = {English}, urldate = {2019-10-17} } Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware
RobinHood
2019-05-09Sentinel LABSVitali Kremez
@online{kremez:20190509:robinhood:187f468, author = {Vitali Kremez}, title = {{RobinHood Ransomware “CoolMaker” Functions Not So Cool}}, date = {2019-05-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/}, language = {English}, urldate = {2020-01-06} } RobinHood Ransomware “CoolMaker” Functions Not So Cool
RobinHood
2019-05-08Ars TechnicaSean Gallagher
@online{gallagher:20190508:robbinhood:a7fdd3f, author = {Sean Gallagher}, title = {{“RobbinHood” ransomware takes down Baltimore City government networks}}, date = {2019-05-08}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-18} } “RobbinHood” ransomware takes down Baltimore City government networks
RobinHood
2019-04-26Bleeping ComputerLawrence Abrams
@online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } A Closer Look at the RobbinHood Ransomware
RobinHood
2019-04-25Twitter (@VK_intel)Vitali Kremez
@online{kremez:20190425:ransomware:4093d36, author = {Vitali Kremez}, title = {{Tweet on Ransomware}}, date = {2019-04-25}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1121440931759128576}, language = {English}, urldate = {2020-01-05} } Tweet on Ransomware
RobinHood
Yara Rules
[TLP:WHITE] win_robinhood_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_robinhood_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442404 89c1 25ffefffff 83f809 0f836b020000 8d1520b95e00 8d14c2 }
            // n = 7, score = 200
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   89c1                 | mov                 ecx, eax
            //   25ffefffff           | and                 eax, 0xffffefff
            //   83f809               | cmp                 eax, 9
            //   0f836b020000         | jae                 0x271
            //   8d1520b95e00         | lea                 edx, [0x5eb920]
            //   8d14c2               | lea                 edx, [edx + eax*8]

        $sequence_1 = { 0f84ec000000 8944241c 894c2414 8d15c0105000 891424 e8???????? 8b7c2404 }
            // n = 7, score = 200
            //   0f84ec000000         | je                  0xf2
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   8d15c0105000         | lea                 edx, [0x5010c0]
            //   891424               | mov                 dword ptr [esp], edx
            //   e8????????           |                     
            //   8b7c2404             | mov                 edi, dword ptr [esp + 4]

        $sequence_2 = { 894c2404 e8???????? c7042400000000 c744240400000000 c744240800000000 e8???????? 8b44240c }
            // n = 7, score = 200
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   e8????????           |                     
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]

        $sequence_3 = { e9???????? 8d0500fb5f00 89442448 c644244c00 83c434 c3 89d1 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8d0500fb5f00         | lea                 eax, [0x5ffb00]
            //   89442448             | mov                 dword ptr [esp + 0x48], eax
            //   c644244c00           | mov                 byte ptr [esp + 0x4c], 0
            //   83c434               | add                 esp, 0x34
            //   c3                   | ret                 
            //   89d1                 | mov                 ecx, edx

        $sequence_4 = { 8d0d50705300 39c1 7522 8b4c2408 740d 8944240c 8b442408 }
            // n = 7, score = 200
            //   8d0d50705300         | lea                 ecx, [0x537050]
            //   39c1                 | cmp                 ecx, eax
            //   7522                 | jne                 0x24
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   740d                 | je                  0xf
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b442408             | mov                 eax, dword ptr [esp + 8]

        $sequence_5 = { 8b4c240c 8905???????? 8b05???????? 85c0 0f85b8000000 890d???????? 8d05006e4f00 }
            // n = 7, score = 200
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   8905????????         |                     
            //   8b05????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85b8000000         | jne                 0xbe
            //   890d????????         |                     
            //   8d05006e4f00         | lea                 eax, [0x4f6e00]

        $sequence_6 = { ebf6 c744242800000000 c744242c00000000 c744243000000000 c744243400000000 c744243800000000 c744243c00000000 }
            // n = 7, score = 200
            //   ebf6                 | jmp                 0xfffffff8
            //   c744242800000000     | mov                 dword ptr [esp + 0x28], 0
            //   c744242c00000000     | mov                 dword ptr [esp + 0x2c], 0
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0
            //   c744243400000000     | mov                 dword ptr [esp + 0x34], 0
            //   c744243800000000     | mov                 dword ptr [esp + 0x38], 0
            //   c744243c00000000     | mov                 dword ptr [esp + 0x3c], 0

        $sequence_7 = { 8b4c2424 894c2408 e8???????? e9???????? 8d1578f85f00 891424 89442404 }
            // n = 7, score = 200
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   8d1578f85f00         | lea                 edx, [0x5ff878]
            //   891424               | mov                 dword ptr [esp], edx
            //   89442404             | mov                 dword ptr [esp + 4], eax

        $sequence_8 = { 8b0d???????? 85c9 0f8515040000 8905???????? 8d0508595100 890424 c744240410000000 }
            // n = 7, score = 200
            //   8b0d????????         |                     
            //   85c9                 | test                ecx, ecx
            //   0f8515040000         | jne                 0x41b
            //   8905????????         |                     
            //   8d0508595100         | lea                 eax, [0x515908]
            //   890424               | mov                 dword ptr [esp], eax
            //   c744240410000000     | mov                 dword ptr [esp + 4], 0x10

        $sequence_9 = { 8b4c2434 894c2410 8d0d8b3a5100 894c2414 c744241808000000 8b9424f8000000 8954241c }
            // n = 7, score = 200
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   8d0d8b3a5100         | lea                 ecx, [0x513a8b]
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   c744241808000000     | mov                 dword ptr [esp + 0x18], 8
            //   8b9424f8000000       | mov                 edx, dword ptr [esp + 0xf8]
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx

    condition:
        7 of them and filesize < 5955584
}
[TLP:WHITE] win_robinhood_w0   (20190510 | Unpacked RobinHood ransomware)
rule win_robinhood_w0 { 
    meta:
        author = "anonymous submission"
        description = "Unpacked RobinHood ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood"
        malpedia_version = "20190510"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $go1 = "go.buildid" 
        $go2 = "Go build ID:" 
        $rh1 = "c:\\windows\\temp\\pub.key" nocase 
        $rh2 = ".enc_robbinhood" nocase 
        $rh3 = "cmd.exe /c net use * /DELETE /Y" nocase 
        $rh4 = "CoolMaker" nocase 
        $rh5= "ShadowFucks" nocase 
        $rh6= "RecoveryFCK" nocase 
        $rh7= "ServiceFuck" nocase 
    condition: 
        all of ($go*) and any of ($rh*)
}
Download all Yara Rules