General
-
Target
2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos
-
Size
56KB
-
Sample
240620-x6bjjstfla
-
MD5
e0ca8aab0fb03f86b47664271cf17e1d
-
SHA1
20c16588264bbb183b0b180e9ea8bd3886ab7a47
-
SHA256
844afe9491b526a0a7fe3ad39386082353a1944873b92fcd1aa5ff1f0cf4fec9
-
SHA512
402e6baa938fbd8b7fb10b5f3054217f1611faa95d3034ee27aed1027536d796ecbb55e91e6b91bb30440b1199a71fa19bd57addbf6d9be0e1c75e29fcdf11e6
-
SSDEEP
1536:ENeRBl5PT/rx1mzwRMSTdLpJKfiFiGtmtNkU:EQRrmzwR5JtRt8N
Score
10/10
Malware Config
Extracted
Path
C:\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>encrypted</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>All your files have been encrypted!</div>
</div>
<div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>anderson.notneo@onionmail.org</span></div>
<div class='bold'>Write this ID in the title of your message <span class='mark'>8DC4A3DA-3538</span></div>
<div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>mrandersonnotneo@cock.li</span></div>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</ul>
</div>
</body>
</html>
Emails
class='mark'>anderson.notneo@onionmail.org</span></div>
class='mark'>mrandersonnotneo@cock.li</span></div>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
Path
C:\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>encrypted</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>All your files have been encrypted!</div>
</div>
<div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>anderson.notneo@onionmail.org</span></div>
<div class='bold'>Write this ID in the title of your message <span class='mark'>2C52DD15-3538</span></div>
<div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>mrandersonnotneo@cock.li</span></div>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</ul>
</div>
</body>
</html>
Emails
class='mark'>anderson.notneo@onionmail.org</span></div>
class='mark'>mrandersonnotneo@cock.li</span></div>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos
-
Size
56KB
-
MD5
e0ca8aab0fb03f86b47664271cf17e1d
-
SHA1
20c16588264bbb183b0b180e9ea8bd3886ab7a47
-
SHA256
844afe9491b526a0a7fe3ad39386082353a1944873b92fcd1aa5ff1f0cf4fec9
-
SHA512
402e6baa938fbd8b7fb10b5f3054217f1611faa95d3034ee27aed1027536d796ecbb55e91e6b91bb30440b1199a71fa19bd57addbf6d9be0e1c75e29fcdf11e6
-
SSDEEP
1536:ENeRBl5PT/rx1mzwRMSTdLpJKfiFiGtmtNkU:EQRrmzwR5JtRt8N
Score10/10-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
2