Analysis of Faust Ransomware, a Variant of the Phobos Ransomware Family | Threat Intelligence | CloudSEK
Tags
attack-pattern: Data Direct Email Addresses - T1589.002 Software - T1592.002 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID 255e034d-7833-4eb0-81ad-341b5f077614
Fingerprint ae5a9cbb363f9e15
Analysis status DONE
Considered CTI value 0
Text language
Published Feb. 8, 2023, midnight
Added to db Nov. 19, 2023, 5:58 a.m.
Last updated Nov. 17, 2024, 5:57 p.m.
Headline Analysis of Faust Ransomware, a Variant of the Phobos Ransomware Family
Title Analysis of Faust Ransomware, a Variant of the Phobos Ransomware Family | Threat Intelligence | CloudSEK
Detected Hints/Tags/Attributes 33/1/18
Source URLs
Redirection Url
Details Source https://cloudsek.com/threatintelligence/analysis-of-faust-ransomware-a-variant-of-the-phobos-ransomware-family
Details Source https://www.cloudsek.com/threatintelligence/analysis-of-faust-ransomware-a-variant-of-the-phobos-ransomware-family
URL Provider
Details Provider Source level domain
Details cloudsek.com www.cloudsek.com
Details cloudsek.com cloudsek.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 89 CloudSEK Threat Intelligence https://cloudsek.com/threatintelligence/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 19 
zohomail.eu
Details Domain 85 
onionmail.org
Details Domain 144 
cock.li
Details Domain 34 
exploit.im
Details Domain 68 
keemail.me
Details Domain 162 
localbitcoins.com
Details Domain 68 
www.coindesk.com
Details Domain 622 
en.wikipedia.org
Details Email 5 
gardex_recofast@zohomail.eu
Details Email 4 
annawong@onionmail.org
Details Email 1 
creakerbro@exploit.im
Details Email 1 
sennadasilva0194@keemail.me
Details File 65 
info.txt
Details Url 52 
https://localbitcoins.com/buy_bitcoins
Details Url 41 
http://www.coindesk.com/information/how-can-i-buy-bitcoins
Details Url 16 
https://en.wikipedia.org/wiki/intelligence_source_and_information_reliability
Details Url 20 
https://en.wikipedia.org/wiki/traffic_light_protocol
Details Yara rule 1 
rule win_phobos_auto {
	meta:
		author = "Felix Bilstein - yara-signator at cocacoding dot com"
		date = "2023-01-25"
		version = "1"
		description = "Detects win.phobos."
		info = "autogenerated rule brought to you by yara-signator"
		tool = "yara-signator v0.6.0"
		signator_config = "callsandjumps;datarefs;binvalue"
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
		malpedia_rule_date = "20230124"
		malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
		malpedia_version = "20230125"
		malpedia_license = "CC BY-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$sequence_0 = { 81 C6 B2 00 00 00 89 B7 A8 00 00 00 8B 75 FC 6A 02 89 45 E0 89 45 E4 8D 45 E0 }
		$sequence_1 = { 8D 44 00 02 89 45 F8 8D 45 F4 50 68 19 01 02 00 }
		$sequence_2 = { FF 75 10 FF 15 ?? ?? ?? ?? 89 45 FC 83 F8 FF 0F 84 9C 01 00 00 FF 75 EC 8D 46 20 }
		$sequence_3 = { FF 75 08 E8 ?? ?? ?? ?? 83 C4 0C 8B D8 66 FF 4B 04 66 FF 4E 04 }
		$sequence_4 = { E8 ?? ?? ?? ?? 59 59 FF 45 F4 83 7D D8 00 74 3E 83 7D EC 00 }
		$sequence_5 = { 5B C6 04 30 80 3B C3 40 73 0E }
		$sequence_6 = { 8B 45 08 EB EB 8B 7D F8 EB 1B 0F B7 07 }
		$sequence_7 = { EB 01 4F FF 75 FC E8 ?? ?? ?? ?? 59 }
		$sequence_8 = { 57 50 E8 ?? ?? ?? ?? 8B 46 04 FF 76 0C }
		$sequence_9 = { 83 7E 08 00 74 46 8B 06 85 C0 74 40 8B 0F 89 4E 04 }
	condition:
		7 of them and filesize < 139264
}