Overview

overview

10

Static

static

3

0b997e8b0d...46.exe

windows7-x64

10

0b997e8b0d...46.exe

windows10-2004-x64

10

Resubmissions

21-06-2023 07:15

230621-h3fxjahc7x 10

21-06-2023 07:09

230621-hy1fdaga46 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.zip

  • Size

    42KB

  • Sample

    230621-h3fxjahc7x

  • MD5

    f82b59005b56239fff90e81e5472df0c

  • SHA1

    34da23a79dc1d9ee6a3a5ae131a89f3f804c3c04

  • SHA256

    084bcc67847bf29586354adce89daac64b8b3db88a5d1c8f5c05b8a64f45e829

  • SHA512

    b9a56d238596c3968161a0ba9f24e36f936f14b77c188a3422804aa3af45f09458e9961a1027fb6f216df563922308aed79fb359e2140eaa42ab2fb701599efd

  • SSDEEP

    768:5E9hqatYX3j1aibJwu571baAaGJslconZlqUKItQJ0hqVxXPS1wh7Tdp/Gh:5EXqvj1DbJw6bZaGITqLWIvB9hp+h

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.exe

    • Size

      58KB

    • MD5

      d458a2f85bc1330f13acccd63d88d015

    • SHA1

      2604402597e41faa97db737fe0fb4166864752ad

    • SHA256

      0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446

    • SHA512

      5e89c3541022d31df8d7d2b15522734649796428ba6842182ab59988d3ea5679e1f8b2903b4e7646785c46c8d41b5e99031a4875a340e9be84362b63797e1c99

    • SSDEEP

      1536:hNeRBl5PT/rx1mzwRMSTdLpJ5mwnf+viID/:hQRrmzwR5JUD/

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (304) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (465) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks