phobos | 0c3f82d1f30a53fb34d63ab9ef7a964ee085059941642d0226fd34ba4f3184c6 | Triage

Submit
Reports

Overview

overview

Static

static

YxaezL5DP1ISnOG.exe

windows7_x64

YxaezL5DP1ISnOG.exe

windows10_x64

3

Sharing

General

Target

YxaezL5DP1ISnOG.exe
Size

208KB
Sample

200711-1sqlkksdmn
MD5

4ba613da5bba6b5079b25dce5c6d90fc
SHA1

03365a85123e07eaab5019e92a23cf6d423c81cf
SHA256

0c3f82d1f30a53fb34d63ab9ef7a964ee085059941642d0226fd34ba4f3184c6
SHA512

a6d5ee3ca473473748d2b9a8e1f838b5b25b4d72b3310529a75f2483b847eec27e1118695d53cef0714e02eefdb2b8d71f180721907062f7a7c6ea3f6e44da55

Score

10^/10

phobos evasion persistence ransomware spyware

Static task

static1

Behavioral task

behavioral1

Sample

YxaezL5DP1ISnOG.exe

Resource

win7v200430

ransomware evasion persistence spyware phobos

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

YxaezL5DP1ISnOG.exe

Resource

win10

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  YxaezL5DP1ISnOG.exe
- Size
  
  208KB
- MD5
  
  4ba613da5bba6b5079b25dce5c6d90fc
- SHA1
  
  03365a85123e07eaab5019e92a23cf6d423c81cf
- SHA256
  
  0c3f82d1f30a53fb34d63ab9ef7a964ee085059941642d0226fd34ba4f3184c6
- SHA512
  
  a6d5ee3ca473473748d2b9a8e1f838b5b25b4d72b3310529a75f2483b847eec27e1118695d53cef0714e02eefdb2b8d71f180721907062f7a7c6ea3f6e44da55
Score

10^/10

ransomware evasion persistence spyware phobos
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Deletes system backup catalog
  Ransomware often tries to delete backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run entry to start application
  persistence
- Drops desktop.ini file(s)
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Modify Existing Service

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ransomwareevasionpersistencespywarephobos

behavioral2

© 2018-2024

Terms | Privacy