phobos | 4d30670f6311dc373dcbfb5bd93cf1621b1d6c425c8c9a95dc0a1317d0bdf648 | Triage

Submit
Reports

Overview

overview

Static

static

1

AntiRecuva...in.exe

windows7-x64

AntiRecuva...in.exe

windows10-2004-x64

Sharing

General

Target

AntiRecuvaAndDB.bin.exe
Size

55KB
Sample

230315-eshftsdd2v
MD5

cebe17fcdfe9daf1438d2ba986fac811
SHA1

d906ad344a57663efbbe291bccd74ba4061f119b
SHA256

4d30670f6311dc373dcbfb5bd93cf1621b1d6c425c8c9a95dc0a1317d0bdf648
SHA512

7922350eb257ce02b0d3b317f08bea8f60e2c6dddc473c28d2e3549033728025aed15a370ea23551a8cf283b4fa81a7a698eed51a6205f132fdec2263294b716
SSDEEP

1536:hkcgYgbig9EhjWNMSTdwp++lye/RDNExB0:hj8ijWNw++lyY20

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

AntiRecuvaAndDB.bin.exe

Resource

win7-20230220-en

phobos evasion persistence ransomware spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

AntiRecuvaAndDB.bin.exe

Resource

win10v2004-20230220-en

phobos evasion persistence ransomware spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  AntiRecuvaAndDB.bin.exe
- Size
  
  55KB
- MD5
  
  cebe17fcdfe9daf1438d2ba986fac811
- SHA1
  
  d906ad344a57663efbbe291bccd74ba4061f119b
- SHA256
  
  4d30670f6311dc373dcbfb5bd93cf1621b1d6c425c8c9a95dc0a1317d0bdf648
- SHA512
  
  7922350eb257ce02b0d3b317f08bea8f60e2c6dddc473c28d2e3549033728025aed15a370ea23551a8cf283b4fa81a7a698eed51a6205f132fdec2263294b716
- SSDEEP
  
  1536:hkcgYgbig9EhjWNMSTdwp++lye/RDNExB0:hj8ijWNw++lyY20
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomwarespywarestealer

behavioral2

phobosevasionpersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy