#StopRansomware: Phobos Ransomware

Date: 02/29/2024

Severity: High

Summary

Open source reports suggest that Phobos ransomware shares tactics with variants like Elking, Eight, Devos, Backmydata, and Faust ransomware. Phobos utilizes open source tools such as Smokeloader, Cobalt Strike, and Bloodhound, widely available and adaptable across different systems. This accessibility contributes to its popularity among threat actors and associated variants.

Indicators of Compromise (IOC) List

Domains\Urls

https://attack.mitre.org/tactics/enterprise/

adstat477d.xyz

attack.mitre.org

cock.li

demstat577d.xyz

inboxhub.net

keemail.me

onionmail.org

serverxlogs21.xyz

techie.com

tutamail.com

IP address

147.78.47.224

185.202.0.111

194.165.16.4

Hash

0900b61febed8da43708f6735ed6c11b

20d9fa474fa2628a6abe5485d35ee7e0

2809e15a3a54484e042fe65fffd17409

62885d0f106569fac3985f72f0ca10cb

69788b170956a5c58ebd77f7680fde7c

9376f223d363e28054676bb6ef2c3e79

a567048dd823ff2d395ddd95d1fa5302

b119cdd3d02b60009b9ad39da799ed3b

db74cd067d4a0562b26ea4f10e943e3b

e59ffeaf7acb0c326e452fa30bb71a36

ecdf7acb35e4268bcafb03b8af12f659

fe2d1879880466e24e76d8d0963feb93

a567048dd823ff2d395ddd95d1fa5302

fe2d1879880466e24e76d8d0963feb93

18ebb65842ccd3a1d1eeb597f2017267d47daaf9

33def89ad18a6c3dbaa4b5b5075a84a771157441

43683751209e85571072d953c0bdd44c883045ee

4a8f0331abaf8f629b3c8220f0d55339cfa30223

7332956debc4fb14a54d69b0b858bd5b04becac1

90b2cebbeb377480e321d8f38ea6de2fa661e437

93b0d892bd3fbb7d3d9efb69fffdc060159d4536

a28af73bcfd4ebe2fe29242c07fec15e0578ec8a

aed68cfa282ec2b0f8a681153beaebe3a17d04ee

b092a6bf7fb6755e095ed9f35147d1c6710cf2c4

c88fad293256bfead6962124394de4f8b97765aa

cb37b10b209ab38477d2e17f21cae12a1cb2adf0

0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f

2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66

32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3

482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52

518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6

7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0

9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c

a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763

f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c

f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed

fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6

f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains\Urls

userdomainname like "cock.li" or url like "cock.li" or userdomainname like "https://attack.mitre.org/tactics/enterprise/" or url like "https://attack.mitre.org/tactics/enterprise/" or userdomainname like "techie.com" or url like "techie.com" or userdomainname like "keemail.me" or url like "keemail.me" or userdomainname like "attack.mitre.org" or url like "attack.mitre.org" or userdomainname like "serverxlogs21.xyz" or url like "serverxlogs21.xyz" or userdomainname like "adstat477d.xyz" or url like "adstat477d.xyz" or userdomainname like "demstat577d.xyz" or url like "demstat577d.xyz" or userdomainname like "onionmail.org" or url like "onionmail.org" or userdomainname like "inboxhub.net" or url like "inboxhub.net" or userdomainname like "tutamail.com" or url like "tutamail.com"

IP Address

dstipaddress IN ("185.202.0.111","147.78.47.224","194.165.16.4") or ipaddress IN ("185.202.0.111","147.78.47.224","194.165.16.4") or publicipaddress IN ("185.202.0.111","147.78.47.224","194.165.16.4") or srcipaddress IN ("185.202.0.111","147.78.47.224","194.165.16.4")

Hash

md5hash IN ("fe2d1879880466e24e76d8d0963feb93","ecdf7acb35e4268bcafb03b8af12f659","e59ffeaf7acb0c326e452fa30bb71a36","a567048dd823ff2d395ddd95d1fa5302","b119cdd3d02b60009b9ad39da799ed3b","0900b61febed8da43708f6735ed6c11b","20d9fa474fa2628a6abe5485d35ee7e0","db74cd067d4a0562b26ea4f10e943e3b","62885d0f106569fac3985f72f0ca10cb","9376f223d363e28054676bb6ef2c3e79","69788b170956a5c58ebd77f7680fde7c","2809e15a3a54484e042fe65fffd17409")

sha1hash IN ("33def89ad18a6c3dbaa4b5b5075a84a771157441","7332956debc4fb14a54d69b0b858bd5b04becac1","4a8f0331abaf8f629b3c8220f0d55339cfa30223","aed68cfa282ec2b0f8a681153beaebe3a17d04ee","c88fad293256bfead6962124394de4f8b97765aa","93b0d892bd3fbb7d3d9efb69fffdc060159d4536","a28af73bcfd4ebe2fe29242c07fec15e0578ec8a","b092a6bf7fb6755e095ed9f35147d1c6710cf2c4","90b2cebbeb377480e321d8f38ea6de2fa661e437","43683751209e85571072d953c0bdd44c883045ee","18ebb65842ccd3a1d1eeb597f2017267d47daaf9","cb37b10b209ab38477d2e17f21cae12a1cb2adf0")

sha256hash IN ("7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0","0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f","58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6","9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c","fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6","2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66","518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c","f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c","a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2","482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52","f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed","c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763")

Reference:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

#StopRansomware: Phobos Ransomware

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Share This

Comments