General

  • Target

    Phobos.exe

  • Size

    8.3MB

  • Sample

    240603-lzwqcsag3z

  • MD5

    b3184dead6dac7d822200a5d62ff40a1

  • SHA1

    5204f2e8bf16e93c9629e7d0c481d0a3ec126b7e

  • SHA256

    bffc70a7958ba7b5e8b8181fe5f474e2cf05c21f8b46526156752bbef7f40638

  • SHA512

    e89908b98e35f0a939cac6f5b7b4e43d8b26476bca48608896bccfec5381d8ac0c08fe007a8ba8f15cca7e98b3faa8ac736fc3fdf2a3d03a47f7c853da216eb5

  • SSDEEP

    196608:QroLpyYFurErvI9pWjgaAnajMsbSEo23fQC//OoLxhm:LyYFurEUWjJjIfoo4jLxhm

Malware Config

Targets

    • Target

      Phobos.exe

    • Size

      8.3MB

    • MD5

      b3184dead6dac7d822200a5d62ff40a1

    • SHA1

      5204f2e8bf16e93c9629e7d0c481d0a3ec126b7e

    • SHA256

      bffc70a7958ba7b5e8b8181fe5f474e2cf05c21f8b46526156752bbef7f40638

    • SHA512

      e89908b98e35f0a939cac6f5b7b4e43d8b26476bca48608896bccfec5381d8ac0c08fe007a8ba8f15cca7e98b3faa8ac736fc3fdf2a3d03a47f7c853da216eb5

    • SSDEEP

      196608:QroLpyYFurErvI9pWjgaAnajMsbSEo23fQC//OoLxhm:LyYFurEUWjJjIfoo4jLxhm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks