phobos

General

Target

11.exe
Size

55KB
Sample

230118-krh9mahh9x
MD5

d5b1a26c5c3b592c7008f440a36be0c3
SHA1

ac56976f6a5c9da52651d7a220a7a73e0d83b08a
SHA256

818f1f91d4975dc988b1fc8d0380ce45f414623bd52b045a3f36241c859c90fc
SHA512

2499b52bb1241ed091fc12404cf63446322015999b7d10afc8fd19d56ae8b58b73bad76723a4832b227d624e09271605135e19b17a75c7f003f91a4d7deb60ee
SSDEEP

1536:UNeRBl5PT/rx1mzwRMSTdLpJg0BxI0qvGY:UQRrmzwR5JLI0l

Score

10^/10

Malware Config

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note

Files are locked* but not corrupted Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] or alteranive mail [email protected] , specify in the subject unique identifier A49D407D-2822 and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to our telegram - @phobos_support 5. if you need an alternative communication channel - write a request by e-mail 6. our goal is to return your data, but if you do not contact us, we will not succeed

Emails

[email protected]

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note

Files are locked* but not corrupted Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] or alteranive mail [email protected] , specify in the subject unique identifier 70578ED8-2822 and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to our telegram - @phobos_support 5. if you need an alternative communication channel - write a request by e-mail 6. our goal is to return your data, but if you do not contact us, we will not succeed

Emails

[email protected]

Targets

- Target
  
  11.exe
- Size
  
  55KB
- MD5
  
  d5b1a26c5c3b592c7008f440a36be0c3
- SHA1
  
  ac56976f6a5c9da52651d7a220a7a73e0d83b08a
- SHA256
  
  818f1f91d4975dc988b1fc8d0380ce45f414623bd52b045a3f36241c859c90fc
- SHA512
  
  2499b52bb1241ed091fc12404cf63446322015999b7d10afc8fd19d56ae8b58b73bad76723a4832b227d624e09271605135e19b17a75c7f003f91a4d7deb60ee
- SSDEEP
  
  1536:UNeRBl5PT/rx1mzwRMSTdLpJg0BxI0qvGY:UQRrmzwR5JLI0l
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2