SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phobos (Back to overview)

Phobos

Ransomware.

References
2021-07-22Serviciul Român de InformațiiServiciul Român de Informații
@online{informaii:20210722:cyber:03cb12f, author = {Serviciul Român de Informații}, title = {{Cyber ​​attack with PHOBOS ransomware application}}, date = {2021-07-22}, organization = {Serviciul Român de Informații}, url = {https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos}, language = {Romanian}, urldate = {2021-07-26} } Cyber ​​attack with PHOBOS ransomware application
Phobos
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-27CrowdStrikeJosh Dalman, Kamil Janton, Eben Kaplan
@online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-02MorphisecMichael Gorelik
@online{gorelik:20210402:fair:6f62577, author = {Michael Gorelik}, title = {{The “Fair” Upgrade Variant of Phobos Ransomware}}, date = {2021-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware}, language = {English}, urldate = {2021-04-06} } The “Fair” Upgrade Variant of Phobos Ransomware
Phobos
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2020-10-13FortinetXiaopeng Zhang
@online{zhang:20201013:deep:e95d109, author = {Xiaopeng Zhang}, title = {{Deep Analysis – The EKING Variant of Phobos Ransomware}}, date = {2020-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware}, language = {English}, urldate = {2020-10-20} } Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-04-24Advanced IntelligenceBridgit Sullivan
@online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-10MalwarebytesJovi Umawing
@online{umawing:20200110:threat:9e615e1, author = {Jovi Umawing}, title = {{Threat spotlight: Phobos ransomware lives up to its name}}, date = {2020-01-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/}, language = {English}, urldate = {2020-01-22} } Threat spotlight: Phobos ransomware lives up to its name
Phobos
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-07-24Malwarebyteshasherezade
@online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } A deep dive into Phobos ransomware
Phobos
2019-01-29CodeWareCoveWare
@online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos
Yara Rules
[TLP:WHITE] win_phobos_auto (20210616 | Detects win.phobos.)
rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 59 ff7508 e8???????? 8b442428 59 }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   59                   | pop                 ecx

        $sequence_1 = { 8bec 83e4f8 81ec44010000 83242400 53 56 8b35???????? }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   81ec44010000         | sub                 esp, 0x144
            //   83242400             | and                 dword ptr [esp], 0
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b35????????         |                     

        $sequence_2 = { 83c41c 8bfb 85db 742a 46 }
            // n = 5, score = 100
            //   83c41c               | add                 esp, 0x1c
            //   8bfb                 | mov                 edi, ebx
            //   85db                 | test                ebx, ebx
            //   742a                 | je                  0x2c
            //   46                   | inc                 esi

        $sequence_3 = { bf80000000 57 53 8d45fc 50 56 6a00 }
            // n = 7, score = 100
            //   bf80000000           | mov                 edi, 0x80
            //   57                   | push                edi
            //   53                   | push                ebx
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   56                   | push                esi
            //   6a00                 | push                0

        $sequence_4 = { 8b5df0 c1eb08 23d8 0fb69bd0c54000 c1e208 33d3 8b5d08 }
            // n = 7, score = 100
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   c1eb08               | shr                 ebx, 8
            //   23d8                 | and                 ebx, eax
            //   0fb69bd0c54000       | movzx               ebx, byte ptr [ebx + 0x40c5d0]
            //   c1e208               | shl                 edx, 8
            //   33d3                 | xor                 edx, ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]

        $sequence_5 = { 0fb708 43 6685c9 75ea 56 }
            // n = 5, score = 100
            //   0fb708               | movzx               ecx, word ptr [eax]
            //   43                   | inc                 ebx
            //   6685c9               | test                cx, cx
            //   75ea                 | jne                 0xffffffec
            //   56                   | push                esi

        $sequence_6 = { c1eb18 333c9da8a54000 8b5df4 23d8 333c9dd0b14000 }
            // n = 5, score = 100
            //   c1eb18               | shr                 ebx, 0x18
            //   333c9da8a54000       | xor                 edi, dword ptr [ebx*4 + 0x40a5a8]
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   23d8                 | and                 ebx, eax
            //   333c9dd0b14000       | xor                 edi, dword ptr [ebx*4 + 0x40b1d0]

        $sequence_7 = { 33c0 895c2434 8d7c2438 ab ab 33c0 8d7c241c }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   895c2434             | mov                 dword ptr [esp + 0x34], ebx
            //   8d7c2438             | lea                 edi, dword ptr [esp + 0x38]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   33c0                 | xor                 eax, eax
            //   8d7c241c             | lea                 edi, dword ptr [esp + 0x1c]

        $sequence_8 = { 53 53 53 8d442440 50 53 89742448 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8d442440             | lea                 eax, dword ptr [esp + 0x40]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   89742448             | mov                 dword ptr [esp + 0x48], esi

        $sequence_9 = { 85c0 0f8484000000 8b45fc eb15 8b45fc }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   0f8484000000         | je                  0x8a
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   eb15                 | jmp                 0x17
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules