Overview

overview

10

Static

static

3

0b997e8b0d...46.exe

windows7-x64

10

0b997e8b0d...46.exe

windows10-2004-x64

10

Resubmissions

23-06-2023 08:47

230623-kp51lsde84 10

23-06-2023 08:31

230623-ketjtseg4s 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.zip

  • Size

    42KB

  • Sample

    230623-ketjtseg4s

  • MD5

    9d63bc016905a660f5762e1f09b97d98

  • SHA1

    b3c8624e786c5f715fe295cc6918199cdc773e69

  • SHA256

    90a15609ff6dab9ce8bc433c1fffca8fd5f3f5e8992536eb82e70b898ad2c826

  • SHA512

    2506d8ad3f10507ac197fd5bec62207536efb5c3650c4343586b19df1836c73203c4588649bf77b3d4fe2f8587b88a7c5220d06504290a3867df060ee46f9372

  • SSDEEP

    768:GmkM+Up4yhC/8KMEVim1PscQVnuT0BbdBfSDdugPOtVbG//2zWlrA8ATVUVoo:TX+i4yM/3Vwm6ccXBbdBfSpugSVbGH2i

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.exe

    • Size

      58KB

    • MD5

      d458a2f85bc1330f13acccd63d88d015

    • SHA1

      2604402597e41faa97db737fe0fb4166864752ad

    • SHA256

      0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446

    • SHA512

      5e89c3541022d31df8d7d2b15522734649796428ba6842182ab59988d3ea5679e1f8b2903b4e7646785c46c8d41b5e99031a4875a340e9be84362b63797e1c99

    • SSDEEP

      1536:hNeRBl5PT/rx1mzwRMSTdLpJ5mwnf+viID/:hQRrmzwR5JUD/

    Score
    10/10
    phobosevasionpersistenceransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (203) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (466) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks