General
-
Target
Fantom.exe
-
Size
261KB
-
Sample
240817-ghxtwatbql
-
MD5
7d80230df68ccba871815d68f016c282
-
SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6
-
SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
-
SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
SSDEEP
3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
Extracted
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Targets
-
-
Target
Fantom.exe
-
Size
261KB
-
MD5
7d80230df68ccba871815d68f016c282
-
SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6
-
SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
-
SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
SSDEEP
3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score10/10-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Renames multiple (3044) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory
-