SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phobos (Back to overview)

Phobos

VTCollection    

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

References
2024-11-20TrellixJambul Tologonov, John Fokker, Phuc Pham
Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now
8Base CryptXXXX Dharma Phobos
2024-05-30circleidWhoisXML API
A DNS Investigation of the Phobos Ransomware 8Base Attack
8Base Phobos
2024-05-21S-RMFrank de Korte
Phobos ransomware launches new leak site and pivots towards double extortion
Phobos
2024-03-18PCriskTomas Meskauskas
FORCE (.FORCE) ransomware virus – removal and decryption options
Phobos
2024-02-19Cyber GeeksCyberMasterV
A Technical Analysis of the BackMyData Ransomware Used to Attack Hospitals in Romania
Phobos
2024-02-15DNSCDirectoratul National de Securitate Cibernetica
Backmydata Ransomware
Phobos
2023-11-23QualysSuraj Mundalik
Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground
Phobos
2023-11-17Cisco TalosGuilherme Venere
Understanding the Phobos affiliate structure and activity
Phobos
2023-11-17Cisco TalosGuilherme Venere
A deep dive into Phobos ransomware, recently deployed by 8Base group
8Base Phobos
2023-08-23LogpointAnish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC
2023-07-17AcronisAcronis Security
8Base ransomware stays unseen for a year
8Base Phobos SmokeLoader
2023-06-30Twitter (@rivitna2)@rivitna2
Twitter thread about relationship between 8Base and Phobos ransomware
8Base Phobos
2023-06-28vmwareBria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC
2023-02-23CERT.PLJarosław Jedynak, Michał Praszmo
A tale of Phobos - how we almost cracked a ransomware using CUDA
Phobos
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-03PARAFLAREBex Nitert
Luci Spools The Fun With Phobos Ransomware
Phobos
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2021-07-22Serviciul Român de InformațiiServiciul Român de Informații
Cyber ​​attack with PHOBOS ransomware application
Phobos
2021-05-11Mal-Eatsmal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-27CrowdStrikeEben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-02MorphisecMichael Gorelik
The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2020-10-13FortinetXiaopeng Zhang
Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-04-24Advanced IntelligenceBridgit Sullivan
Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-10MalwarebytesJovi Umawing
Threat spotlight: Phobos ransomware lives up to its name
Phobos
2020-01-01BlackberryBlackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-07-24Malwarebyteshasherezade
A deep dive into Phobos ransomware
Phobos
2019-01-29CodeWareCoveWare
Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos
Yara Rules
[TLP:WHITE] win_phobos_auto (20241030 | Detects win.phobos.)
rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff36 ff15???????? 8bd8 83fbff 7509 ff15???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff36                 | push                dword ptr [esi]
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   7509                 | jne                 0xb
            //   ff15????????         |                     

        $sequence_1 = { 5b c9 c3 8b4620 85c0 7407 50 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   50                   | push                eax

        $sequence_2 = { 33ff 5b c6043080 3bc3 40 730e 3bc3 }
            // n = 7, score = 100
            //   33ff                 | xor                 edi, edi
            //   5b                   | pop                 ebx
            //   c6043080             | mov                 byte ptr [eax + esi], 0x80
            //   3bc3                 | cmp                 eax, ebx
            //   40                   | inc                 eax
            //   730e                 | jae                 0x10
            //   3bc3                 | cmp                 eax, ebx

        $sequence_3 = { ff15???????? 89442414 e8???????? 6a00 6a14 89442420 e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a14                 | push                0x14
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   e8????????           |                     

        $sequence_4 = { 68a00f0000 8d4610 50 ff15???????? }
            // n = 4, score = 100
            //   68a00f0000           | push                0xfa0
            //   8d4610               | lea                 eax, [esi + 0x10]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_5 = { 8b450c 83c414 85c0 7408 8b0e 8b4c3908 }
            // n = 6, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b4c3908             | mov                 ecx, dword ptr [ecx + edi + 8]

        $sequence_6 = { 59 50 8945fc e8???????? 8bf8 59 85ff }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   85ff                 | test                edi, edi

        $sequence_7 = { 333c9dd0b54000 8bda 23d8 333c9dd0c14000 8b5df0 337910 }
            // n = 6, score = 100
            //   333c9dd0b54000       | xor                 edi, dword ptr [ebx*4 + 0x40b5d0]
            //   8bda                 | mov                 ebx, edx
            //   23d8                 | and                 ebx, eax
            //   333c9dd0c14000       | xor                 edi, dword ptr [ebx*4 + 0x40c1d0]
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   337910               | xor                 edi, dword ptr [ecx + 0x10]

        $sequence_8 = { 83c104 83fe08 72d6 8b0a 83e90a 0f8466010000 49 }
            // n = 7, score = 100
            //   83c104               | add                 ecx, 4
            //   83fe08               | cmp                 esi, 8
            //   72d6                 | jb                  0xffffffd8
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   83e90a               | sub                 ecx, 0xa
            //   0f8466010000         | je                  0x16c
            //   49                   | dec                 ecx

        $sequence_9 = { 2bfa 53 0fb716 0fb71c37 663bd3 770a 720d }
            // n = 7, score = 100
            //   2bfa                 | sub                 edi, edx
            //   53                   | push                ebx
            //   0fb716               | movzx               edx, word ptr [esi]
            //   0fb71c37             | movzx               ebx, word ptr [edi + esi]
            //   663bd3               | cmp                 dx, bx
            //   770a                 | ja                  0xc
            //   720d                 | jb                  0xf

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules