SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phobos (Back to overview)

Phobos

VTCollection    

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

References
2024-02-19Cyber GeeksCyberMasterV
A Technical Analysis of the BackMyData Ransomware Used to Attack Hospitals in Romania
Phobos
2024-02-15DNSCDirectoratul National de Securitate Cibernetica
Backmydata Ransomware
Phobos
2023-11-23QualysSuraj Mundalik
Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground
Phobos
2023-11-17Cisco TalosGuilherme Venere
A deep dive into Phobos ransomware, recently deployed by 8Base group
8Base Phobos
2023-11-17Cisco TalosGuilherme Venere
Understanding the Phobos affiliate structure and activity
Phobos
2023-08-23LogpointAnish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC
2023-07-17AcronisAcronis Security
8Base ransomware stays unseen for a year
8Base Phobos SmokeLoader
2023-06-30Twitter (@rivitna2)@rivitna2
Twitter thread about relationship between 8Base and Phobos ransomware
8Base Phobos
2023-06-28vmwareBria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC
2023-02-23CERT.PLJarosław Jedynak, Michał Praszmo
A tale of Phobos - how we almost cracked a ransomware using CUDA
Phobos
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-03PARAFLAREBex Nitert
Luci Spools The Fun With Phobos Ransomware
Phobos
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2021-07-22Serviciul Român de InformațiiServiciul Român de Informații
Cyber ​​attack with PHOBOS ransomware application
Phobos
2021-05-11Mal-Eatsmal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-27CrowdStrikeEben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-02MorphisecMichael Gorelik
The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2020-10-13FortinetXiaopeng Zhang
Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-04-24Advanced IntelligenceBridgit Sullivan
Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-10MalwarebytesJovi Umawing
Threat spotlight: Phobos ransomware lives up to its name
Phobos
2020-01-01BlackberryBlackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-07-24Malwarebyteshasherezade
A deep dive into Phobos ransomware
Phobos
2019-01-29CodeWareCoveWare
Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos
Yara Rules
[TLP:WHITE] win_phobos_auto (20230808 | Detects win.phobos.)
rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75fc e8???????? 59 85c0 0f845c010000 395df8 0f8453010000 }
            // n = 7, score = 100
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f845c010000         | je                  0x162
            //   395df8               | cmp                 dword ptr [ebp - 8], ebx
            //   0f8453010000         | je                  0x159

        $sequence_1 = { 59 8d4c0002 8bc7 2bc6 03c1 894ddc 897dd0 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   8d4c0002             | lea                 ecx, [eax + eax + 2]
            //   8bc7                 | mov                 eax, edi
            //   2bc6                 | sub                 eax, esi
            //   03c1                 | add                 eax, ecx
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   897dd0               | mov                 dword ptr [ebp - 0x30], edi

        $sequence_2 = { 8d5c3801 e8???????? 59 8945fc 8975e4 ff15???????? 6a40 }
            // n = 7, score = 100
            //   8d5c3801             | lea                 ebx, [eax + edi + 1]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   ff15????????         |                     
            //   6a40                 | push                0x40

        $sequence_3 = { 752e 6683f930 7409 c7450c0a000000 }
            // n = 4, score = 100
            //   752e                 | jne                 0x30
            //   6683f930             | cmp                 cx, 0x30
            //   7409                 | je                  0xb
            //   c7450c0a000000       | mov                 dword ptr [ebp + 0xc], 0xa

        $sequence_4 = { 53 56 c745a044000000 ff15???????? 8945fc 3bc6 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   c745a044000000       | mov                 dword ptr [ebp - 0x60], 0x44
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3bc6                 | cmp                 eax, esi

        $sequence_5 = { 8bf8 57 897de0 e8???????? 83c40c 680a020000 8d5c3801 }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   57                   | push                edi
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   680a020000           | push                0x20a
            //   8d5c3801             | lea                 ebx, [eax + edi + 1]

        $sequence_6 = { 8d45f4 50 53 ff15???????? 56 8b35???????? ffd6 }
            // n = 7, score = 100
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   56                   | push                esi
            //   8b35????????         |                     
            //   ffd6                 | call                esi

        $sequence_7 = { 8bf3 2b7010 e8???????? f6472801 8d440006 59 8945fc }
            // n = 7, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   2b7010               | sub                 esi, dword ptr [eax + 0x10]
            //   e8????????           |                     
            //   f6472801             | test                byte ptr [edi + 0x28], 1
            //   8d440006             | lea                 eax, [eax + eax + 6]
            //   59                   | pop                 ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_8 = { 7423 a900040000 7518 8b06 ff750c 8b00 ff7020 }
            // n = 7, score = 100
            //   7423                 | je                  0x25
            //   a900040000           | test                eax, 0x400
            //   7518                 | jne                 0x1a
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   ff7020               | push                dword ptr [eax + 0x20]

        $sequence_9 = { 83c602 0fb716 83c702 6685d2 75e0 668b06 663b07 }
            // n = 7, score = 100
            //   83c602               | add                 esi, 2
            //   0fb716               | movzx               edx, word ptr [esi]
            //   83c702               | add                 edi, 2
            //   6685d2               | test                dx, dx
            //   75e0                 | jne                 0xffffffe2
            //   668b06               | mov                 ax, word ptr [esi]
            //   663b07               | cmp                 ax, word ptr [edi]

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules