Extracted

Extracted

Extracted

Extracted

• • Target

    58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6

  • Size

    56KB

  • MD5

    62885d0f106569fac3985f72f0ca10cb

  • SHA1

    cb37b10b209ab38477d2e17f21cae12a1cb2adf0

  • SHA256

    58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6

  • SHA512

    1fdd982323e314b97dc4b6878f92e965aeefee9f89203c4ca944e8e540d5a990dcb5cbfb5455794e1ef3ad3e7d990e20b12af70f3310b1ff92c8402c43275c2a

  • SSDEEP

    1536:sNeRBl5PT/rx1mzwRMSTdLpJNr+eiukbsSw:sQRrmzwR5JViums

  Score

  10^/10

  phobosevasionpersistenceransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral1behavioral2

• • Target

    b188674706de2125e487aadc14769e5e4c20f311a1abfd098441c4a8bc41ed27

  • Size

    753KB

  • MD5

    4f1025c0661cc0fa578a52466fa65b71

  • SHA1

    591d9da3673498a3cf184637c0b83e62fa7e1e8c

  • SHA256

    b188674706de2125e487aadc14769e5e4c20f311a1abfd098441c4a8bc41ed27

  • SHA512

    9e75f94bccc8a78d2436455d58eab1fb4632b98351e0af5417a82d85a1ee541086331a1cd30611ec5782e24eb3fbf448eee5cbb605b05219131d997f1325a0a5

  • SSDEEP

    12288:jzKha/nj5OLpdNIrd4Dx5OLpdNIrd4Di:7FmXIrdCmXIrdf

  Score

  10^/10

  phobosevasionpersistenceransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Suspicious use of SetThreadContext

  behavioral3behavioral4