phobos

General

Target

db_exec.exe
Size

56KB
Sample

200929-84e3j2fhre
MD5

57a5909170a0faee72e61ad2155fd3fc
SHA1

f03548eb37425741e62b5f64914513f53b82f4f7
SHA256

05eb6a100b33f2bcf48a1acaa989b96de246d09e6e8526de83a622ebe575d25f
SHA512

a8237c539ea9d2145d8f1e77f81f4a5182da45e6f5a63c4d7f13560a336bfec75c825267de734bfd3c82fca7c9804f03d582bc1374357374fd660083f7dd0e74

Score

10^/10

Malware Config

Extracted

Path

\??\c:\users\admin\desktop\info.txt

Ransom Note

ATTENTION! ALL YOUR DATA ARE PROTECTED WITH RSA ALGORITHM Your security system was vulnerable, so all of your files are encrypted. If you want to restore them, contact us by email: helpisos@aol.com in the header of the letter indicate your encrypted ID (you can find it in the names of your encrypted files) If you do not receive a response within 24 hours, please contact us by Telegram.org account: @iso_recovery BE CAREFUL AND DO NOT DAMAGE YOUR DATA: Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Do not trust anyone! Only we have keys to your files! Without this keys restore your data is impossible WE GUARANTEE A FREE DECODE AS A PROOF OF OUR POSSIBILITIES: You can send us 2 files for free decryption. Size of file must be less than 1 Mb (non archived). We don`t decrypt for test DATABASE, XLS and other important files. DO NOT ATTEMPT TO DECODE YOUR DATA YOURSELF, YOU ONLY DAMAGE THEM AND THEN YOU LOSE THEM FOREVER. AFTER DECRYPTION YOUR SYSTEM WILL RETURN TO A FULLY NORMALLY AND OPERATIONAL CONDITION!

Emails

helpisos@aol.com

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

ATTENTION! ALL YOUR DATA ARE PROTECTED WITH RSA ALGORITHM Your security system was vulnerable, so all of your files are encrypted. If you want to restore them, contact us by email: helpisos@aol.com in the header of the letter indicate your encrypted ID 08742CD1-2589 If you do not receive a response within 24 hours, please contact us by Telegram.org account: @iso_recovery BE CAREFUL AND DO NOT DAMAGE YOUR DATA: Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Do not trust anyone! Only we have keys to your files! Without this keys restore your data is impossible WE GUARANTEE A FREE DECODE AS A PROOF OF OUR POSSIBILITIES: You can send us 2 files for free decryption. Size of file must be less than 1 Mb (non archived). We don`t decrypt for test DATABASE, XLS and other important files. DO NOT ATTEMPT TO DECODE YOUR DATA YOURSELF, YOU ONLY DAMAGE THEM AND THEN YOU LOSE THEM FOREVER. AFTER DECRYPTION YOUR SYSTEM WILL RETURN TO A FULLY NORMALLY AND OPERATIONAL CONDITION!

Emails

helpisos@aol.com

Targets

- Target
  
  db_exec.exe
- Size
  
  56KB
- MD5
  
  57a5909170a0faee72e61ad2155fd3fc
- SHA1
  
  f03548eb37425741e62b5f64914513f53b82f4f7
- SHA256
  
  05eb6a100b33f2bcf48a1acaa989b96de246d09e6e8526de83a622ebe575d25f
- SHA512
  
  a8237c539ea9d2145d8f1e77f81f4a5182da45e6f5a63c4d7f13560a336bfec75c825267de734bfd3c82fca7c9804f03d582bc1374357374fd660083f7dd0e74
Score

10^/10

phobos evasion persistence ransomware spyware
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2