Extracted

Extracted

• • Target

    HEUR-Trojan.MSIL.DelShad.gen-b188674706de2125e487aadc14769e5e4c20f311a1abfd098441c4a8bc41ed27.exe

  • Size

    753KB

  • MD5

    4f1025c0661cc0fa578a52466fa65b71

  • SHA1

    591d9da3673498a3cf184637c0b83e62fa7e1e8c

  • SHA256

    b188674706de2125e487aadc14769e5e4c20f311a1abfd098441c4a8bc41ed27

  • SHA512

    9e75f94bccc8a78d2436455d58eab1fb4632b98351e0af5417a82d85a1ee541086331a1cd30611ec5782e24eb3fbf448eee5cbb605b05219131d997f1325a0a5

  • SSDEEP

    12288:jzKha/nj5OLpdNIrd4Dx5OLpdNIrd4Di:7FmXIrdCmXIrdf

  Score

  10^/10

  phobosevasionpersistenceransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Suspicious use of SetThreadContext

  behavioral1behavioral2