Overview

overview

10

Static

static

aa193db946...ef.exe

windows7-x64

10

aa193db946...ef.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef

  • Size

    664KB

  • Sample

    220724-rvgcrsfgdm

  • MD5

    acf73cf8ddfb182b8559779f8a165e49

  • SHA1

    d944a1bc327f26b8c17345d04986ef0437d85484

  • SHA256

    aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef

  • SHA512

    284a26b9165b58c9a531364bb7609abdc38868efd38878b0cdf78bed45ef0ee73a83719ec972ee86416dddc0e9ab698ed387537e12c9aed75d81ad817a3c8fd0

Score
10/10
phobosdiscoveryevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef

    • Size

      664KB

    • MD5

      acf73cf8ddfb182b8559779f8a165e49

    • SHA1

      d944a1bc327f26b8c17345d04986ef0437d85484

    • SHA256

      aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef

    • SHA512

      284a26b9165b58c9a531364bb7609abdc38868efd38878b0cdf78bed45ef0ee73a83719ec972ee86416dddc0e9ab698ed387537e12c9aed75d81ad817a3c8fd0

    Score
    10/10
    phobosdiscoveryevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks