SYMBOLCOMMON_NAMEaka. SYNONYMS
win.robinhood (Back to overview)

RobinHood

aka: RobbinHood

There is no description at this point.

References
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-06SophosAndrew Brandt, Mark Loman
@online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } Living off another land: Ransomware borrows vulnerable driver to remove security software
RobinHood
2020-02-06Bleeping ComputerLawrence Abrams
@online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } Ransomware Exploits GIGABYTE Driver to Kill AV Processes
RobinHood
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-07-01GoggleHeadedHacker BlogJacob Pimental
@online{pimental:20190701:robbinhood:2e0e1fe, author = {Jacob Pimental}, title = {{Robbinhood Malware Analysis with Radare2}}, date = {2019-07-01}, organization = {GoggleHeadedHacker Blog}, url = {https://goggleheadedhacker.com/blog/post/12}, language = {English}, urldate = {2020-01-13} } Robbinhood Malware Analysis with Radare2
RobinHood
2019-06-03Brian Krebs
@online{krebs:20190603:report:e065d06, author = {Brian Krebs}, title = {{Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware}}, date = {2019-06-03}, url = {https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/}, language = {English}, urldate = {2019-10-17} } Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware
RobinHood
2019-05-09Sentinel LABSVitali Kremez
@online{kremez:20190509:robinhood:187f468, author = {Vitali Kremez}, title = {{RobinHood Ransomware “CoolMaker” Functions Not So Cool}}, date = {2019-05-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/}, language = {English}, urldate = {2020-01-06} } RobinHood Ransomware “CoolMaker” Functions Not So Cool
RobinHood
2019-05-08Ars TechnicaSean Gallagher
@online{gallagher:20190508:robbinhood:a7fdd3f, author = {Sean Gallagher}, title = {{“RobbinHood” ransomware takes down Baltimore City government networks}}, date = {2019-05-08}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-18} } “RobbinHood” ransomware takes down Baltimore City government networks
RobinHood
2019-04-26Bleeping ComputerLawrence Abrams
@online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } A Closer Look at the RobbinHood Ransomware
RobinHood
2019-04-25Twitter (@VK_intel)Vitali Kremez
@online{kremez:20190425:ransomware:4093d36, author = {Vitali Kremez}, title = {{Tweet on Ransomware}}, date = {2019-04-25}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1121440931759128576}, language = {English}, urldate = {2020-01-05} } Tweet on Ransomware
RobinHood
Yara Rules
[TLP:WHITE] win_robinhood_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_robinhood_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d2de08b5d00 8d74cd00 8b3e 01df 8b5a04 8b7604 893a }
            // n = 7, score = 100
            //   8d2de08b5d00         | lea                 ebp, [0x5d8be0]
            //   8d74cd00             | lea                 esi, [ebp + ecx*8]
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   01df                 | add                 edi, ebx
            //   8b5a04               | mov                 ebx, dword ptr [edx + 4]
            //   8b7604               | mov                 esi, dword ptr [esi + 4]
            //   893a                 | mov                 dword ptr [edx], edi

        $sequence_1 = { 8d05c07a4f00 890424 8d05c0675300 89442404 e8???????? 0f0b 8d05c07a4f00 }
            // n = 7, score = 100
            //   8d05c07a4f00         | lea                 eax, [0x4f7ac0]
            //   890424               | mov                 dword ptr [esp], eax
            //   8d05c0675300         | lea                 eax, [0x5367c0]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     
            //   0f0b                 | ud2                 
            //   8d05c07a4f00         | lea                 eax, [0x4f7ac0]

        $sequence_2 = { 895110 8d1dfcf35f00 891c24 c744240401000000 e8???????? 8b4c2420 8b5114 }
            // n = 7, score = 100
            //   895110               | mov                 dword ptr [ecx + 0x10], edx
            //   8d1dfcf35f00         | lea                 ebx, [0x5ff3fc]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   e8????????           |                     
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   8b5114               | mov                 edx, dword ptr [ecx + 0x14]

        $sequence_3 = { c744240800000000 e8???????? 0fb644240c 84c0 74be 8d05e0f55f00 890424 }
            // n = 7, score = 100
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   e8????????           |                     
            //   0fb644240c           | movzx               eax, byte ptr [esp + 0xc]
            //   84c0                 | test                al, al
            //   74be                 | je                  0xffffffc0
            //   8d05e0f55f00         | lea                 eax, [0x5ff5e0]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_4 = { 8b4110 8b8c24a0020000 890c24 ffd0 8b442404 8b4c2408 8d942418020000 }
            // n = 7, score = 100
            //   8b4110               | mov                 eax, dword ptr [ecx + 0x10]
            //   8b8c24a0020000       | mov                 ecx, dword ptr [esp + 0x2a0]
            //   890c24               | mov                 dword ptr [esp], ecx
            //   ffd0                 | call                eax
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8d942418020000       | lea                 edx, [esp + 0x218]

        $sequence_5 = { c744240800000000 c744240c0a000000 c644241000 8d0d8d595100 894c2414 c744241811000000 e8???????? }
            // n = 7, score = 100
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240c0a000000     | mov                 dword ptr [esp + 0xc], 0xa
            //   c644241000           | mov                 byte ptr [esp + 0x10], 0
            //   8d0d8d595100         | lea                 ecx, [0x51598d]
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   c744241811000000     | mov                 dword ptr [esp + 0x18], 0x11
            //   e8????????           |                     

        $sequence_6 = { 8b05???????? 89442424 8d0d60824f00 890c24 8b542420 89542404 8d1d94345100 }
            // n = 7, score = 100
            //   8b05????????         |                     
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   8d0d60824f00         | lea                 ecx, [0x4f8260]
            //   890c24               | mov                 dword ptr [esp], ecx
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   8d1d94345100         | lea                 ebx, [0x513494]

        $sequence_7 = { ebab e8???????? 8d05b0ea5100 890424 c744240436000000 e8???????? e8???????? }
            // n = 7, score = 100
            //   ebab                 | jmp                 0xffffffad
            //   e8????????           |                     
            //   8d05b0ea5100         | lea                 eax, [0x51eab0]
            //   890424               | mov                 dword ptr [esp], eax
            //   c744240436000000     | mov                 dword ptr [esp + 4], 0x36
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_8 = { 890424 8d442414 89442404 e8???????? 8d0540f55f00 890424 e8???????? }
            // n = 7, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     
            //   8d0540f55f00         | lea                 eax, [0x5ff540]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_9 = { 8d4808 31d2 ebb2 8d0500fb5f00 8944241c c644242000 83c40c }
            // n = 7, score = 100
            //   8d4808               | lea                 ecx, [eax + 8]
            //   31d2                 | xor                 edx, edx
            //   ebb2                 | jmp                 0xffffffb4
            //   8d0500fb5f00         | lea                 eax, [0x5ffb00]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   c644242000           | mov                 byte ptr [esp + 0x20], 0
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 5955584
}
[TLP:WHITE] win_robinhood_w0   (20190510 | Unpacked RobinHood ransomware)
rule win_robinhood_w0 { 
    meta:
        author = "anonymous submission"
        description = "Unpacked RobinHood ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood"
        malpedia_version = "20190510"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $go1 = "go.buildid" 
        $go2 = "Go build ID:" 
        $rh1 = "c:\\windows\\temp\\pub.key" nocase 
        $rh2 = ".enc_robbinhood" nocase 
        $rh3 = "cmd.exe /c net use * /DELETE /Y" nocase 
        $rh4 = "CoolMaker" nocase 
        $rh5= "ShadowFucks" nocase 
        $rh6= "RecoveryFCK" nocase 
        $rh7= "ServiceFuck" nocase 
    condition: 
        all of ($go*) and any of ($rh*)
}
Download all Yara Rules