phobos | 4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a | Triage

Sharing

General

Target

4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a
Size

56KB
Sample

230124-y4bl7sfc4v
MD5

c5d5171d5af7b55de4056c8ef928b6d2
SHA1

62f92ae34f886ae7c77f5c3eaf52fecdb00d6b77
SHA256

4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a
SHA512

af700712dfd0ed80217326ab7c4d3dd41bbe7620ea1abfcbba40e1233933fa206663c1fd08467fce3793e975c8c216ce0c882d5780fc5e364e24c0e483a7e24a
SSDEEP

768:GvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EwykIrI8OAeMm:INeRBl5PT/rx1mzwRMSTdLpJwyBQ0m

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a
- Size
  
  56KB
- MD5
  
  c5d5171d5af7b55de4056c8ef928b6d2
- SHA1
  
  62f92ae34f886ae7c77f5c3eaf52fecdb00d6b77
- SHA256
  
  4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a
- SHA512
  
  af700712dfd0ed80217326ab7c4d3dd41bbe7620ea1abfcbba40e1233933fa206663c1fd08467fce3793e975c8c216ce0c882d5780fc5e364e24c0e483a7e24a
- SSDEEP
  
  768:GvrNNeRBl5JFTXqwXrkgrn/9/HiDKGwRj4RcTdyH4pYT3nPKVU1EwykIrI8OAeMm:INeRBl5PT/rx1mzwRMSTdLpJwyBQ0m
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomwarespywarestealer

behavioral2

phobosevasionpersistenceransomwarespywarestealer