phobos | 1ca85c7d735a4bdc8900acd52f4ec46bf0d0f13908907657175bbf92d82e28ce | Triage

Sharing

General

Target

1ca85c7d735a4bdc8900acd52f4ec46bf0d0f13908907657175bbf92d82e28ce.exe
Size

55KB
Sample

221211-a2skyagd66
MD5

796e90187c74f7222087d8980c11d37e
SHA1

c6cc5262ccf23915805e3ea50888eb7f1ec8abc3
SHA256

1ca85c7d735a4bdc8900acd52f4ec46bf0d0f13908907657175bbf92d82e28ce
SHA512

c1f802448f1cf55bb3d5800a9d3431a17f97d54e40b1815257b02b255fe2ed7cd1ceade307d56dfa6c44f40ef048da2096a4e87f262d4287359ef694a487c7fb
SSDEEP

1536:tNeRBl5PT/rx1mzwRMSTdLpJy8DFBhoj+:tQRrmzwR5J1DF5

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  1ca85c7d735a4bdc8900acd52f4ec46bf0d0f13908907657175bbf92d82e28ce.exe
- Size
  
  55KB
- MD5
  
  796e90187c74f7222087d8980c11d37e
- SHA1
  
  c6cc5262ccf23915805e3ea50888eb7f1ec8abc3
- SHA256
  
  1ca85c7d735a4bdc8900acd52f4ec46bf0d0f13908907657175bbf92d82e28ce
- SHA512
  
  c1f802448f1cf55bb3d5800a9d3431a17f97d54e40b1815257b02b255fe2ed7cd1ceade307d56dfa6c44f40ef048da2096a4e87f262d4287359ef694a487c7fb
- SSDEEP
  
  1536:tNeRBl5PT/rx1mzwRMSTdLpJy8DFBhoj+:tQRrmzwR5J1DF5
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomware

behavioral2

phobosevasionpersistenceransomwarespywarestealer