phobos | 09cb34eeb242e0664d105e6e040ea247072297be4df66a5261eef59e5be613fa | Triage

Sharing

General

Target

AntiRecuvaDB.exe
Size

60KB
Sample

240321-2fxrbaeb6y
MD5

574e43cffc3bde6f5c99dfd08cdd36ec
SHA1

fe51fcd4e6c4cc670db61bd7238eb8077f667784
SHA256

09cb34eeb242e0664d105e6e040ea247072297be4df66a5261eef59e5be613fa
SHA512

1e0a2e705ce36312eca98bd335ccc736cc8c62d9bab0c23e8d1354f370c010ba149052ba6315db9d7c9bbe5157c1a3098c43a0e7b495dd90179ea62c57c492ba
SSDEEP

1536:KNeRBl5PT/rx1mzwRMSTdLpJiCIrTJmxgwRpA9O:KQRrmzwR5JuT8d/A9O

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  AntiRecuvaDB.exe
- Size
  
  60KB
- MD5
  
  574e43cffc3bde6f5c99dfd08cdd36ec
- SHA1
  
  fe51fcd4e6c4cc670db61bd7238eb8077f667784
- SHA256
  
  09cb34eeb242e0664d105e6e040ea247072297be4df66a5261eef59e5be613fa
- SHA512
  
  1e0a2e705ce36312eca98bd335ccc736cc8c62d9bab0c23e8d1354f370c010ba149052ba6315db9d7c9bbe5157c1a3098c43a0e7b495dd90179ea62c57c492ba
- SSDEEP
  
  1536:KNeRBl5PT/rx1mzwRMSTdLpJiCIrTJmxgwRpA9O:KQRrmzwR5JuT8d/A9O
Score

10^/10

phobos evasion persistence ransomware spyware stealer
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (68) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

phobosevasionpersistenceransomwarespywarestealer

behavioral2

phobosevasionpersistenceransomwarespywarestealer