phobos | f25a3e2bbaa9bed0210adf5bff0bc5d76fbf44e09ae4bc22e40473814a6ebad1 | Triage

Sharing

General

Target

f25a3e2bbaa9bed0210adf5bff0bc5d76fbf44e09ae4bc22e40473814a6ebad1.exe
Size

56KB
Sample

221109-gtqvpsece7
MD5

e8a5392f6773a3cfda23fc0b9ea09749
SHA1

791fa78b31f640830d37ec92bae5dac67b15db9a
SHA256

f25a3e2bbaa9bed0210adf5bff0bc5d76fbf44e09ae4bc22e40473814a6ebad1
SHA512

eb1071d7ec30f58dce61c485d14b841faddbce9bb32e6c777db415a0c69a1452679306696c5794b0a0fe77bcf33b82f99a1b10c1bddf5352a65c85e020fd24da
SSDEEP

1536:6NeRBl5PT/rx1mzwRMSTdLpJqSAkQCSIY:6QRrmzwR5JKk0

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  f25a3e2bbaa9bed0210adf5bff0bc5d76fbf44e09ae4bc22e40473814a6ebad1.exe
- Size
  
  56KB
- MD5
  
  e8a5392f6773a3cfda23fc0b9ea09749
- SHA1
  
  791fa78b31f640830d37ec92bae5dac67b15db9a
- SHA256
  
  f25a3e2bbaa9bed0210adf5bff0bc5d76fbf44e09ae4bc22e40473814a6ebad1
- SHA512
  
  eb1071d7ec30f58dce61c485d14b841faddbce9bb32e6c777db415a0c69a1452679306696c5794b0a0fe77bcf33b82f99a1b10c1bddf5352a65c85e020fd24da
- SSDEEP
  
  1536:6NeRBl5PT/rx1mzwRMSTdLpJqSAkQCSIY:6QRrmzwR5JKk0
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomwarespywarestealer

behavioral2

phobosevasionpersistenceransomware