SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phobos (Back to overview)

Phobos Ransomware


There is no description at this point.

References
2020-10-13FortinetXiaopeng Zhang
@online{zhang:20201013:deep:e95d109, author = {Xiaopeng Zhang}, title = {{Deep Analysis – The EKING Variant of Phobos Ransomware}}, date = {2020-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware}, language = {English}, urldate = {2020-10-20} } Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos Ransomware
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-04-24Advanced IntelligenceBridgit Sullivan
@online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos Ransomware
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020-01-10MalwarebytesJovi Umawing
@online{umawing:20200110:threat:9e615e1, author = {Jovi Umawing}, title = {{Threat spotlight: Phobos ransomware lives up to its name}}, date = {2020-01-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/}, language = {English}, urldate = {2020-01-22} } Threat spotlight: Phobos ransomware lives up to its name
Phobos Ransomware
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware
2019-07-24Malwarebyteshasherezade
@online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } A deep dive into Phobos ransomware
Phobos Ransomware
2019-01-29CodeWareCoveWare
@online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos Ransomware
Yara Rules
[TLP:WHITE] win_phobos_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 ff15???????? 8906 3bc7 7427 57 ff36 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8906                 | mov                 dword ptr [esi], eax
            //   3bc7                 | cmp                 eax, edi
            //   7427                 | je                  0x29
            //   57                   | push                edi
            //   ff36                 | push                dword ptr [esi]

        $sequence_1 = { 59 6a14 8d4304 50 57 e8???????? }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   6a14                 | push                0x14
            //   8d4304               | lea                 eax, [ebx + 4]
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_2 = { ff7508 ffd0 ff75f8 57 e8???????? 59 }
            // n = 6, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   57                   | push                edi
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_3 = { 0f85b3000000 57 8d44242c 50 be08020000 56 }
            // n = 6, score = 100
            //   0f85b3000000         | jne                 0xb9
            //   57                   | push                edi
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   50                   | push                eax
            //   be08020000           | mov                 esi, 0x208
            //   56                   | push                esi

        $sequence_4 = { 8945e4 85c0 0f84c2000000 bf???????? be04010000 }
            // n = 5, score = 100
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   85c0                 | test                eax, eax
            //   0f84c2000000         | je                  0xc8
            //   bf????????           |                     
            //   be04010000           | mov                 esi, 0x104

        $sequence_5 = { 8b450c 83c414 85c0 7408 8b0e 8b4c3908 }
            // n = 6, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b4c3908             | mov                 ecx, dword ptr [ecx + edi + 8]

        $sequence_6 = { eb05 ff74bc3c 4f ff15???????? 3bfb 75f1 }
            // n = 6, score = 100
            //   eb05                 | jmp                 7
            //   ff74bc3c             | push                dword ptr [esp + edi*4 + 0x3c]
            //   4f                   | dec                 edi
            //   ff15????????         |                     
            //   3bfb                 | cmp                 edi, ebx
            //   75f1                 | jne                 0xfffffff3

        $sequence_7 = { 333c95d0b14000 8b55fc c1ea08 c1eb10 23d0 8b1495d0ad4000 23d8 }
            // n = 7, score = 100
            //   333c95d0b14000       | xor                 edi, dword ptr [edx*4 + 0x40b1d0]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   c1ea08               | shr                 edx, 8
            //   c1eb10               | shr                 ebx, 0x10
            //   23d0                 | and                 edx, eax
            //   8b1495d0ad4000       | mov                 edx, dword ptr [edx*4 + 0x40add0]
            //   23d8                 | and                 ebx, eax

        $sequence_8 = { e8???????? be???????? 8d7c2428 a5 a5 a5 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   be????????           |                     
            //   8d7c2428             | lea                 edi, [esp + 0x28]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_9 = { 7703 83c020 c3 55 8bec 57 ff7508 }
            // n = 7, score = 100
            //   7703                 | ja                  5
            //   83c020               | add                 eax, 0x20
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   57                   | push                edi
            //   ff7508               | push                dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules