General
-
Target
Phobos.exe
-
Size
8.3MB
-
Sample
240603-lzwqcsag3z
-
MD5
b3184dead6dac7d822200a5d62ff40a1
-
SHA1
5204f2e8bf16e93c9629e7d0c481d0a3ec126b7e
-
SHA256
bffc70a7958ba7b5e8b8181fe5f474e2cf05c21f8b46526156752bbef7f40638
-
SHA512
e89908b98e35f0a939cac6f5b7b4e43d8b26476bca48608896bccfec5381d8ac0c08fe007a8ba8f15cca7e98b3faa8ac736fc3fdf2a3d03a47f7c853da216eb5
-
SSDEEP
196608:QroLpyYFurErvI9pWjgaAnajMsbSEo23fQC//OoLxhm:LyYFurEUWjJjIfoo4jLxhm
Behavioral task
behavioral1
Sample
Phobos.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
Phobos.exe
-
Size
8.3MB
-
MD5
b3184dead6dac7d822200a5d62ff40a1
-
SHA1
5204f2e8bf16e93c9629e7d0c481d0a3ec126b7e
-
SHA256
bffc70a7958ba7b5e8b8181fe5f474e2cf05c21f8b46526156752bbef7f40638
-
SHA512
e89908b98e35f0a939cac6f5b7b4e43d8b26476bca48608896bccfec5381d8ac0c08fe007a8ba8f15cca7e98b3faa8ac736fc3fdf2a3d03a47f7c853da216eb5
-
SSDEEP
196608:QroLpyYFurErvI9pWjgaAnajMsbSEo23fQC//OoLxhm:LyYFurEUWjJjIfoo4jLxhm
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-