phobos

General

Target

1fast.exe
Size

56KB
Sample

220830-kh5q9sedfl
MD5

c4af352d193e62dedbbafcb74aba78c0
SHA1

f0fba53440d995e559cb129aa8b2c99430b3a7c9
SHA256

9969e4c5b2496651be60078e79551a2f8a4440c3d150fac77a7e29621a766924
SHA512

2035e7cbb30c21dcda7648474629e94a7f097e28b40b0975a174f83ad73a7a00b48e9253617c7c373ee27382188488e2ad12026d8fd1af30eb57f0e606c58007
SSDEEP

1536:YNeRBl5PT/rx1mzwRMSTdLpJad6QIPEBSIJt9b:YQRrmzwR5JG6QIMSIh

Score

10^/10

Malware Config

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted. If you want to restore them, write to us by e-mail: [email protected] Write this ID in the title of your message: 3100182A-3239 To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: [email protected] and [email protected] For quick and convenient feedback, write to the online operator in the Wire messenger: @sewzok (The username of the Wire account must be exactly the same as above,beware of fake accounts.) You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption! Do not rename encrypted files. Do not try to decrypt your data using third-party software, as this may result in irreversible data loss. Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return. !!! When contacting third parties, we do not give a guarantee for decryption of your files !!! How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Emails

[email protected]

Targets

- Target
  
  1fast.exe
- Size
  
  56KB
- MD5
  
  c4af352d193e62dedbbafcb74aba78c0
- SHA1
  
  f0fba53440d995e559cb129aa8b2c99430b3a7c9
- SHA256
  
  9969e4c5b2496651be60078e79551a2f8a4440c3d150fac77a7e29621a766924
- SHA512
  
  2035e7cbb30c21dcda7648474629e94a7f097e28b40b0975a174f83ad73a7a00b48e9253617c7c373ee27382188488e2ad12026d8fd1af30eb57f0e606c58007
- SSDEEP
  
  1536:YNeRBl5PT/rx1mzwRMSTdLpJad6QIPEBSIJt9b:YQRrmzwR5JG6QIMSIh
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1