win.robinhood (Back to overview)

RobinHood

aka: RobbinHood

There is no description at this point.

References
2020-02-06 ⋅ SophosAndrew Brandt, Mark Loman
@online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } Living off another land: Ransomware borrows vulnerable driver to remove security software
RobinHood
2020-02-06 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } Ransomware Exploits GIGABYTE Driver to Kill AV Processes
RobinHood
2020-01-29 ⋅ ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-07-01 ⋅ GoggleHeadedHacker BlogJacob Pimental
@online{pimental:20190701:robbinhood:2e0e1fe, author = {Jacob Pimental}, title = {{Robbinhood Malware Analysis with Radare2}}, date = {2019-07-01}, organization = {GoggleHeadedHacker Blog}, url = {https://goggleheadedhacker.com/blog/post/12}, language = {English}, urldate = {2020-01-13} } Robbinhood Malware Analysis with Radare2
RobinHood
2019-06-03 ⋅ Brian Krebs
@online{krebs:20190603:report:e065d06, author = {Brian Krebs}, title = {{Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware}}, date = {2019-06-03}, url = {https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/}, language = {English}, urldate = {2019-10-17} } Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware
RobinHood
2019-05-09 ⋅ Sentinel LABSVitali Kremez
@online{kremez:20190509:robinhood:187f468, author = {Vitali Kremez}, title = {{RobinHood Ransomware “CoolMaker” Functions Not So Cool}}, date = {2019-05-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/}, language = {English}, urldate = {2020-01-06} } RobinHood Ransomware “CoolMaker” Functions Not So Cool
RobinHood
2019-05-08 ⋅ Ars TechnicaSean Gallagher
@online{gallagher:20190508:robbinhood:a7fdd3f, author = {Sean Gallagher}, title = {{“RobbinHood” ransomware takes down Baltimore City government networks}}, date = {2019-05-08}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-18} } “RobbinHood” ransomware takes down Baltimore City government networks
RobinHood
2019-04-26 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } A Closer Look at the RobbinHood Ransomware
RobinHood
2019-04-25 ⋅ Twitter (@VK_intel)Vitali Kremez
@online{kremez:20190425:ransomware:4093d36, author = {Vitali Kremez}, title = {{Tweet on Ransomware}}, date = {2019-04-25}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1121440931759128576}, language = {English}, urldate = {2020-01-05} } Tweet on Ransomware
RobinHood
Yara Rules
[TLP:WHITE] win_robinhood_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_robinhood_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8944242c 891c24 c744240400000000 e8???????? 8b442414 89442430 8d0d???????? }
            // n = 7, score = 100
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   e8????????           |                     
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   8d0d????????         |                     

        $sequence_1 = { 8b4c2448 8b9c2484000000 894b30 8b0d???????? 85c9 750c }
            // n = 6, score = 100
            //   8b4c2448             | mov                 ecx, dword ptr [esp + 0x48]
            //   8b9c2484000000       | mov                 ebx, dword ptr [esp + 0x84]
            //   894b30               | mov                 dword ptr [ebx + 0x30], ecx
            //   8b0d????????         |                     
            //   85c9                 | test                ecx, ecx
            //   750c                 | jne                 0xe

        $sequence_2 = { 0f86f7000000 895c2424 0fb6442e01 0fb67c2e03 0fb65c2e02 c1e308 09fb }
            // n = 7, score = 100
            //   0f86f7000000         | jbe                 0xfd
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   0fb6442e01           | movzx               eax, byte ptr [esi + ebp + 1]
            //   0fb67c2e03           | movzx               edi, byte ptr [esi + ebp + 3]
            //   0fb65c2e02           | movzx               ebx, byte ptr [esi + ebp + 2]
            //   c1e308               | shl                 ebx, 8
            //   09fb                 | or                  ebx, edi

        $sequence_3 = { 8d8424a4000000 890424 8d05???????? 89442404 c744240815000000 8b8424f0010000 8944240c }
            // n = 7, score = 100
            //   8d8424a4000000       | lea                 eax, [esp + 0xa4]
            //   890424               | mov                 dword ptr [esp], eax
            //   8d05????????         |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   c744240815000000     | mov                 dword ptr [esp + 8], 0x15
            //   8b8424f0010000       | mov                 eax, dword ptr [esp + 0x1f0]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax

        $sequence_4 = { 0206 010c02 07 0111 0208 0116 0206 }
            // n = 7, score = 100
            //   0206                 | add                 al, byte ptr [esi]
            //   010c02               | add                 dword ptr [edx + eax], ecx
            //   07                   | pop                 es
            //   0111                 | add                 dword ptr [ecx], edx
            //   0208                 | add                 cl, byte ptr [eax]
            //   0116                 | add                 dword ptr [esi], edx
            //   0206                 | add                 al, byte ptr [esi]

        $sequence_5 = { 8b8820070000 85c9 0f8489000000 8b8820070000 8b901c070000 8b5c8afc }
            // n = 6, score = 100
            //   8b8820070000         | mov                 ecx, dword ptr [eax + 0x720]
            //   85c9                 | test                ecx, ecx
            //   0f8489000000         | je                  0x8f
            //   8b8820070000         | mov                 ecx, dword ptr [eax + 0x720]
            //   8b901c070000         | mov                 edx, dword ptr [eax + 0x71c]
            //   8b5c8afc             | mov                 ebx, dword ptr [edx + ecx*4 - 4]

        $sequence_6 = { e8???????? 8d0d???????? 898c2458030000 8b9424a4020000 8994245c030000 8d1d???????? 899c2460030000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d0d????????         |                     
            //   898c2458030000       | mov                 dword ptr [esp + 0x358], ecx
            //   8b9424a4020000       | mov                 edx, dword ptr [esp + 0x2a4]
            //   8994245c030000       | mov                 dword ptr [esp + 0x35c], edx
            //   8d1d????????         |                     
            //   899c2460030000       | mov                 dword ptr [esp + 0x360], ebx

        $sequence_7 = { 89442404 8b4c2414 890c24 e8???????? 8b44240c 8b4c2408 }
            // n = 6, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   890c24               | mov                 dword ptr [esp], ecx
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]

        $sequence_8 = { 743e 8b54241c 8b5a04 8b2a 8b720c 8b5208 }
            // n = 6, score = 100
            //   743e                 | je                  0x40
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8b5a04               | mov                 ebx, dword ptr [edx + 4]
            //   8b2a                 | mov                 ebp, dword ptr [edx]
            //   8b720c               | mov                 esi, dword ptr [edx + 0xc]
            //   8b5208               | mov                 edx, dword ptr [edx + 8]

        $sequence_9 = { 4f 7a75 1cd7 97 7aed 8a0b beedef3b9b }
            // n = 7, score = 100
            //   4f                   | dec                 edi
            //   7a75                 | jp                  0x77
            //   1cd7                 | sbb                 al, 0xd7
            //   97                   | xchg                eax, edi
            //   7aed                 | jp                  0xffffffef
            //   8a0b                 | mov                 cl, byte ptr [ebx]
            //   beedef3b9b           | mov                 esi, 0x9b3befed

    condition:
        7 of them
}
[TLP:WHITE] win_robinhood_w0   (20190510 | Unpacked RobinHood ransomware)
rule win_robinhood_w0 { 
    meta:
        author = "anonymous submission"
        description = "Unpacked RobinHood ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood"
        malpedia_version = "20190510"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $go1 = "go.buildid" 
        $go2 = "Go build ID:" 
        $rh1 = "c:\\windows\\temp\\pub.key" nocase 
        $rh2 = ".enc_robbinhood" nocase 
        $rh3 = "cmd.exe /c net use * /DELETE /Y" nocase 
        $rh4 = "CoolMaker" nocase 
        $rh5= "ShadowFucks" nocase 
        $rh6= "RecoveryFCK" nocase 
        $rh7= "ServiceFuck" nocase 
    condition: 
        all of ($go*) and any of ($rh*)
}
Download all Yara Rules