Overview

overview

10

Static

static

97cb4bf23e...le.exe

windows7_x64

10

97cb4bf23e...le.exe

windows10_x64

10

Resubmissions

21/02/2025, 10:40

250221-mqpfcszrfk 10

26/07/2021, 12:41

210726-386gy5xqax 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample

  • Size

    192KB

  • Sample

    210726-386gy5xqax

  • MD5

    eb5d46bf72a013bfc7c018169eb1739b

  • SHA1

    f55680a34521ef07c2b8dedd1b74a9927990485a

  • SHA256

    97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb

  • SHA512

    b3e2d512c95913fe0ea1732f1e0bea2e849eb2ef98046380b01c76e6ec38a2ad5c00dcb66f90ad1f9d9c3ab97b81cd92318bdbfc84e2d408ed577902511b0c54

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

\??\c:\users\admin\desktop\info.txt

Ransom Note
Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to the email [email protected] 5. our goal is to return your data, but if you do not contact us, we will not succeed

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
Files are locked* but not corrupted Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] , specify in the subject unique identifier 65412767-2408 and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to the email [email protected] 5. our goal is to return your data, but if you do not contact us, we will not succeed

Targets

    • Target

      97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample

    • Size

      192KB

    • MD5

      eb5d46bf72a013bfc7c018169eb1739b

    • SHA1

      f55680a34521ef07c2b8dedd1b74a9927990485a

    • SHA256

      97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb

    • SHA512

      b3e2d512c95913fe0ea1732f1e0bea2e849eb2ef98046380b01c76e6ec38a2ad5c00dcb66f90ad1f9d9c3ab97b81cd92318bdbfc84e2d408ed577902511b0c54

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks