phobos

General

Target

94e5a07113b228991a294f9b972d2727695ecd68520f56741ae4ad649d5d529b
Size

57KB
Sample

221027-ntewrsbhh7
MD5

79c5bc57a1dd023ac5b372c0ca815cb5
SHA1

fab561d2b12cabc999b927f07cbf0de7afc07d7f
SHA256

94e5a07113b228991a294f9b972d2727695ecd68520f56741ae4ad649d5d529b
SHA512

90effdf8f6dc1b9d631aafadcd292287399455e53c76cdec12c0aeaf1bb324dc544b0a3b27ae2583f5567bf1988e66e59b57f858ddac88ec8a91ed6ec04674bd
SSDEEP

1536:wNeRBl5PT/rx1mzwRMSTdLpJRt6NeIJYs7:wQRrmzwR5JCNeST

Score

10^/10

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

All your files have been encrypted! All of your files have been encrypted. If you want to restore them, write to us by e-mail: [email protected] Write this ID in the title of your message 5115C1F0-3384 To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails: [email protected] or [email protected] For quick and convenient feedback, write to the online operator in the Wire messenger: zexor (The username of the Wire account must be exactly the same as above,beware of fake accounts.) You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption! Do not rename encrypted files. Do not try to decrypt your data using third-party software, as this may result in irreversible data loss. Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return. !!! When contacting third parties, we do not give a guarantee for decryption of your files !!!

Emails

[email protected]

Targets

- Target
  
  94e5a07113b228991a294f9b972d2727695ecd68520f56741ae4ad649d5d529b
- Size
  
  57KB
- MD5
  
  79c5bc57a1dd023ac5b372c0ca815cb5
- SHA1
  
  fab561d2b12cabc999b927f07cbf0de7afc07d7f
- SHA256
  
  94e5a07113b228991a294f9b972d2727695ecd68520f56741ae4ad649d5d529b
- SHA512
  
  90effdf8f6dc1b9d631aafadcd292287399455e53c76cdec12c0aeaf1bb324dc544b0a3b27ae2583f5567bf1988e66e59b57f858ddac88ec8a91ed6ec04674bd
- SSDEEP
  
  1536:wNeRBl5PT/rx1mzwRMSTdLpJRt6NeIJYs7:wQRrmzwR5JCNeST
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2