SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thanatos_ransom (Back to overview)

Thanatos Ransomware


There is no description at this point.

References
2018-06-26Bleeping ComputerLawrence Abrams
@online{abrams:20180626:thanatos:bbe20fc, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Decryptor Released by the Cisco Talos Group}}, date = {2018-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/}, language = {English}, urldate = {2019-12-20} } Thanatos Ransomware Decryptor Released by the Cisco Talos Group
Thanatos Ransomware
2018-06-26Cisco TalosEdmund Brumaghin, Earl Carter, Andrew Williams
@online{brumaghin:20180626:files:661b639, author = {Edmund Brumaghin and Earl Carter and Andrew Williams}, title = {{Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor}}, date = {2018-06-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html}, language = {English}, urldate = {2020-01-09} } Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor
Thanatos Ransomware
2018-02-26Bleeping ComputerLawrence Abrams
@online{abrams:20180226:thanatos:546a986, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/}, language = {English}, urldate = {2019-12-20} } Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption
Thanatos Ransomware
Yara Rules
[TLP:WHITE] win_thanatos_ransom_auto (20220808 | Detects win.thanatos_ransom.)
rule win_thanatos_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.thanatos_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45f4 8b4df8 3bd9 0f8230ffffff eb1f 8b4df0 8b0c8de0774300 }
            // n = 7, score = 100
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   3bd9                 | cmp                 ebx, ecx
            //   0f8230ffffff         | jb                  0xffffff36
            //   eb1f                 | jmp                 0x21
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b0c8de0774300       | mov                 ecx, dword ptr [ecx*4 + 0x4377e0]

        $sequence_1 = { 8b8564ffffff 83e001 0f8412000000 83a564fffffffe 8b8d58ffffff e9???????? }
            // n = 6, score = 100
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   83e001               | and                 eax, 1
            //   0f8412000000         | je                  0x18
            //   83a564fffffffe       | and                 dword ptr [ebp - 0x9c], 0xfffffffe
            //   8b8d58ffffff         | mov                 ecx, dword ptr [ebp - 0xa8]
            //   e9????????           |                     

        $sequence_2 = { 8d45d7 3945c4 756a 837dec10 }
            // n = 4, score = 100
            //   8d45d7               | lea                 eax, [ebp - 0x29]
            //   3945c4               | cmp                 dword ptr [ebp - 0x3c], eax
            //   756a                 | jne                 0x6c
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10

        $sequence_3 = { 8b45e4 8b0485e0774300 8b4de0 f644082801 }
            // n = 4, score = 100
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b0485e0774300       | mov                 eax, dword ptr [eax*4 + 0x4377e0]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1

        $sequence_4 = { ba???????? c745fc0c000000 8d4dd8 e8???????? 83c404 68???????? }
            // n = 6, score = 100
            //   ba????????           |                     
            //   c745fc0c000000       | mov                 dword ptr [ebp - 4], 0xc
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     

        $sequence_5 = { 3432 50 32543258 325c3260 }
            // n = 4, score = 100
            //   3432                 | xor                 al, 0x32
            //   50                   | push                eax
            //   32543258             | xor                 dl, byte ptr [edx + esi + 0x58]
            //   325c3260             | xor                 bl, byte ptr [edx + esi + 0x60]

        $sequence_6 = { 7242 8b4d3c 40 3d00100000 722e }
            // n = 5, score = 100
            //   7242                 | jb                  0x44
            //   8b4d3c               | mov                 ecx, dword ptr [ebp + 0x3c]
            //   40                   | inc                 eax
            //   3d00100000           | cmp                 eax, 0x1000
            //   722e                 | jb                  0x30

        $sequence_7 = { 85f6 0f854affffff 83f910 8975e8 8d45d8 0f4345d8 c60000 }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   0f854affffff         | jne                 0xffffff50
            //   83f910               | cmp                 ecx, 0x10
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   0f4345d8             | cmovae              eax, dword ptr [ebp - 0x28]
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_8 = { 8a805c6f4300 84c0 7f1f 8bce }
            // n = 4, score = 100
            //   8a805c6f4300         | mov                 al, byte ptr [eax + 0x436f5c]
            //   84c0                 | test                al, al
            //   7f1f                 | jg                  0x21
            //   8bce                 | mov                 ecx, esi

        $sequence_9 = { 8b4004 c744309874274300 8b4698 8b4804 8d41f8 }
            // n = 5, score = 100
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   c744309874274300     | mov                 dword ptr [eax + esi - 0x68], 0x432774
            //   8b4698               | mov                 eax, dword ptr [esi - 0x68]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d41f8               | lea                 eax, [ecx - 8]

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules