Overview

overview

10

Static

static

7d9c97a133...b5.exe

windows7-x64

10

7d9c97a133...b5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    891671a3dbedc9f31325acd29ec912bf.bin

  • Size

    39KB

  • Sample

    230130-xl19gabg25

  • MD5

    1b8e447e7a01120e9b21d641ff14ad44

  • SHA1

    019ab828216e44afad45efc401bc5fde7c852a3f

  • SHA256

    bb5fefcddc71b67729161698e68808ee37da3ac244cf03445d2b77f05798fd37

  • SHA512

    85489de7bda5920323d6f39ef227e9120ad8b8b969d59d0446306a218d648d0398ac470b06f2e0169a770bd6c81b435717bd0965c74b75611b383627b4dd8032

  • SSDEEP

    768:chwpvruE86Zi8JNP1q18C8MIX8WGJGy+ccqZD18FQfuIKmkkX6zF9B4GWGF4EX86:chMTuEbZhjtq+J8WgGyFVR8FQWIKo6zD

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe

    • Size

      56KB

    • MD5

      891671a3dbedc9f31325acd29ec912bf

    • SHA1

      9d0f4cb30fdf9cf55948306190e3f71a72cff9f0

    • SHA256

      7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5

    • SHA512

      014488fad8ecfa5dd583d14e7084f4c9f6eb180aa3f06157546467f6b545a849a90afb04eff0f20cc7d11d1a04986e260ddcf6d97a09ab7798022640706fc6ee

    • SSDEEP

      1536:CNeRBl5PT/rx1mzwRMSTdLpJ/VeHOR8ZJ+EJ:CQRrmzwR5JdeHG8ZJVJ

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks