phobos

General

Target

Fast.bin.zip
Size

39KB
Sample

220924-kmr1zaahc7
MD5

4b90892716ee0ae65986099d616e82a3
SHA1

37439c11891d8eb495e5abd7e2b8a7aa3f4b7f25
SHA256

f2952dd43ded68b9f3272de4ae385f2118878e1c9e747ee3a0619112e3372246
SHA512

a1e1c3c802783041da009cfebfbabc8cefd4e9f26a921b825c5e1decec8ecd0cebe307a6dc585c637d6005e8b967d26183a1fdbde5cde5e1be5327be5ae41f67
SSDEEP

768:RsIm+wv3/I2Md7Vhq+uGTQzkR1QiPTTsMuZSx+S6wvyGV6GtoUexM:RQ+W3A2SHqBGTgkLQirTsmx+S5LlIM

Score

10^/10

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

All your files have been encrypted! All of your files have been encrypted. If you want to restore them, write to us by e-mail: [email protected] Write this ID in the title of your message FD466A90-3384 To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: [email protected] or [email protected] For quick and convenient feedback, write to the online operator in the Wire messenger: zexor (The username of the Wire account must be exactly the same as above,beware of fake accounts.) You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption! Do not rename encrypted files. Do not try to decrypt your data using third-party software, as this may result in irreversible data loss. Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return. !!! When contacting third parties, we do not give a guarantee for decryption of your files !!!

Emails

[email protected]

Extracted

Path

C:\info.hta

Ransom Note

All your files have been encrypted! All of your files have been encrypted. If you want to restore them, write to us by e-mail: [email protected] Write this ID in the title of your message 2DEE997B-3384 To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: [email protected] or [email protected] For quick and convenient feedback, write to the online operator in the Wire messenger: zexor (The username of the Wire account must be exactly the same as above,beware of fake accounts.) You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption! Do not rename encrypted files. Do not try to decrypt your data using third-party software, as this may result in irreversible data loss. Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return. !!! When contacting third parties, we do not give a guarantee for decryption of your files !!!

Emails

[email protected]

Targets

- Target
  
  Fast.bin
- Size
  
  57KB
- MD5
  
  c3ffee9d1b907cdd19e5130a24abf4a4
- SHA1
  
  1687bf3e971b06bc9f0052185472a358b3ffbc6d
- SHA256
  
  0e82db485f3e272b47ea1f058a16bdff5eb2f504e1262a2a40abe0f1827082c8
- SHA512
  
  10f2f4efa957c9dc777fe082baed9c3f93061fdf41f972ff4cee3f35eb1a68b0bb96e9531c4b6dbabd37f7247ba3a6c02b07b4656b273f623ef8b1150a253ae1
- SSDEEP
  
  1536:NNeRBl5PT/rx1mzwRMSTdLpJrtwuQ3U2:NQRrmzwR5Ju3U2
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2