phobos

General

Target

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
Size

374KB
Sample

230715-arzw9shd71
MD5

11715c27335a026129dfc1695ebc8888
SHA1

0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512

f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220
SSDEEP

6144:QtLsBkjsroZJCTfQtzrmGaLOLn10TCvDuNcwnkOrpbMfBjiOQDvFp:ggAsrowTfQFrLdLWYecxqpmuOQv7

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

systembc

C2

adstat477d.xyz:4044

demstat577d.xyz:4044

Targets

- Target
  
  c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
- Size
  
  374KB
- MD5
  
  11715c27335a026129dfc1695ebc8888
- SHA1
  
  0ffaa4f65fbf2bc0750b972621f37c787b0231e2
- SHA256
  
  c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
- SHA512
  
  f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220
- SSDEEP
  
  6144:QtLsBkjsroZJCTfQtzrmGaLOLn10TCvDuNcwnkOrpbMfBjiOQDvFp:ggAsrowTfQFrLdLWYecxqpmuOQv7
Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
- Detect rhadamanthys stealer shellcode
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (87) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1