SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phobos (Back to overview)

Phobos Ransomware

There is no description at this point.

References
2020-10-13FortinetXiaopeng Zhang
@online{zhang:20201013:deep:e95d109, author = {Xiaopeng Zhang}, title = {{Deep Analysis – The EKING Variant of Phobos Ransomware}}, date = {2020-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware}, language = {English}, urldate = {2020-10-20} } Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos Ransomware
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-04-24Advanced IntelligenceBridgit Sullivan
@online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos Ransomware
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020-01-10MalwarebytesJovi Umawing
@online{umawing:20200110:threat:9e615e1, author = {Jovi Umawing}, title = {{Threat spotlight: Phobos ransomware lives up to its name}}, date = {2020-01-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/}, language = {English}, urldate = {2020-01-22} } Threat spotlight: Phobos ransomware lives up to its name
Phobos Ransomware
2019-07-24Malwarebyteshasherezade
@online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } A deep dive into Phobos ransomware
Phobos Ransomware
2019-01-29CodeWareCoveWare
@online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos Ransomware
Yara Rules
[TLP:WHITE] win_phobos_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4510 8b00 a810 7423 a900040000 7518 8b06 }
            // n = 7, score = 100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   a810                 | test                al, 0x10
            //   7423                 | je                  0x25
            //   a900040000           | test                eax, 0x400
            //   7518                 | jne                 0x1a
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_1 = { 85c0 0f8460ffffff 8b7df4 8bf3 e8???????? 837dfc00 7409 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f8460ffffff         | je                  0xffffff66
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7409                 | je                  0xb

        $sequence_2 = { 0fb69ba8a44000 c1e108 33cb 23d6 0fb692a8a44000 c1e108 33ca }
            // n = 7, score = 100
            //   0fb69ba8a44000       | movzx               ebx, byte ptr [ebx + 0x40a4a8]
            //   c1e108               | shl                 ecx, 8
            //   33cb                 | xor                 ecx, ebx
            //   23d6                 | and                 edx, esi
            //   0fb692a8a44000       | movzx               edx, byte ptr [edx + 0x40a4a8]
            //   c1e108               | shl                 ecx, 8
            //   33ca                 | xor                 ecx, edx

        $sequence_3 = { 85c0 0f845c010000 395df8 0f8453010000 53 ff75f8 e8???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f845c010000         | je                  0x162
            //   395df8               | cmp                 dword ptr [ebp - 8], ebx
            //   0f8453010000         | je                  0x159
            //   53                   | push                ebx
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     

        $sequence_4 = { 83c414 8b4508 8b4008 e8???????? 85c0 7405 e8???????? }
            // n = 7, score = 100
            //   83c414               | add                 esp, 0x14
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   e8????????           |                     

        $sequence_5 = { 5b 3bfb 7f02 8bdf 53 68???????? ff7508 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   3bfb                 | cmp                 edi, ebx
            //   7f02                 | jg                  4
            //   8bdf                 | mov                 ebx, edi
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_6 = { 8b750c 57 8d4601 6a02 50 e8???????? }
            // n = 6, score = 100
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   8d4601               | lea                 eax, [esi + 1]
            //   6a02                 | push                2
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 83c40c 8d441801 50 53 ff15???????? 50 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d441801             | lea                 eax, [eax + ebx + 1]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_8 = { 8d45f0 a5 50 ff7508 66a5 e8???????? }
            // n = 6, score = 100
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   e8????????           |                     

        $sequence_9 = { 0f8478010000 8bc3 50 ff742438 8d842490000000 6a02 6804010000 }
            // n = 7, score = 100
            //   0f8478010000         | je                  0x17e
            //   8bc3                 | mov                 eax, ebx
            //   50                   | push                eax
            //   ff742438             | push                dword ptr [esp + 0x38]
            //   8d842490000000       | lea                 eax, [esp + 0x90]
            //   6a02                 | push                2
            //   6804010000           | push                0x104

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules