Extracted

Extracted

• • Target

    9bd421c6f7f7d8278036944fcad3e04db408619678acf1b2024ef69d85c3932b

  • Size

    55KB

  • MD5

    9e79576cbd90a80fe04a8f4afa7cbece

  • SHA1

    3d51b94960c3bb966a8a886aacf75cbb6ff98556

  • SHA256

    9bd421c6f7f7d8278036944fcad3e04db408619678acf1b2024ef69d85c3932b

  • SHA512

    82f4881b53f8b679ab02fc9f8e711ce105067e6b5283dbec5d97e0e3c93e9fabbce4b94f123f0426ba12b5e45435edc06be19cce798de31d2005a5a53e820017

  • SSDEEP

    1536:kNeRBl5PT/rx1mzwRMSTdLpJeB6EP4oKeRwBB4rk:kQRrmzwR5JGhQc

  Score

  10^/10

  phobosevasionpersistenceransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral1behavioral2