{ "id": "7f72204c-8a43-4f8d-908d-b60236a14f99", "created_at": "2026-04-06T00:07:28.271517Z", "updated_at": "2026-04-10T03:32:45.881809Z", "deleted_at": null, "sha1_hash": "3c47389646c78714c80abecb366fcae1fccc5b03", "title": "VirusTotal - File - 0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72209, "plain_text": "SUMMARY DETECTION DETAILS RELATIONS BEHAVIOR COMMUNITY 8\r\nJoin our Community and enjoy additional community insights and crowdsourced detections, plus an\r\nAPI key to automate checks.\r\nPopular\r\nthreat\r\nlabel\r\nransomware.phobos/smyxccw Threat categories ransomw Family labels phobos smy\r\nCode insights\r\nShow more\r\nThis sample is a network worm with backdoor capabilities. It actively scans the local network for open\r\nSMB ports (TCP/445) using connect and htons(0x1bd). It spreads by enumerating and connecting to\r\nnetwork shares using WNetEnumResourceW and WNetUseConnectionW, utilizing unusual UNC paths like \\\\?\r\n\\UNC\\\\\\e-. The malware achieves privilege escalation by stealing the access token from explorer.exe\r\nAcronis (Static ML) Suspicious\r\nAhnLab-V3 Ransomware/Win.Phobos.R363595\r\nAlibaba Ransom:Win32/Phobos.665\r\nAliCloud RansomWare:Win/Phobos\r\nALYac Trojan.Ransom.Phobos\r\nAntiy-AVL Trojan[Ransom]/Win32.Phobos\r\nArcabit Trojan.Ransom.PHU\r\nArctic Wolf Unsafe\r\nAvast Win32:Phobos-D [Ransom]\r\nAVG Win32:Phobos-D [Ransom]\r\nAvira (no cloud) TR/Crypt.XPACK.Gen\r\nBitDefender Trojan.Ransom.PHU\r\nBkav Pro W32.RansomBeadsBH.Trojan\r\nClamAV Win.Ransomware.Ulise-7594403-0\r\nCrowdStrike Falcon Win/malicious_confidence_100% (W)\r\nCTX Exe.ransomware.phobos\r\nCynet Malicious (score: 100)\r\nSecurity vendors' analysis Do you want to automate checks?\r\n0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea Sign in Sign up\r\nWe use cookies and related technologies to remember user preferences, for security, to\r\nanalyse our traffic, and to enable website functionality. Learn more about cookies in our\r\nPrivacy Notice. Ok\r\nhttps://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection\r\nPage 1 of 3\n\nDeepInstinct MALICIOUS\r\nDrWeb Trojan.Encoder.31543\r\nElastic Windows.Ransomware.Phobos\r\nEmsisoft Trojan.Ransom.PHU (B)\r\neScan Trojan.Ransom.PHU\r\nESET-NOD32 A Variant Of Win32/Filecoder.Phobos.C\r\nFortinet W32/FilecoderPhobos.C!tr.ransom\r\nGData Win32.Trojan-Ransom.Phobos.C\r\nGoogle Detected\r\nGridinsoft (no cloud) Ransom.Win32.Phobos.ko!s1\r\nHuorong Ransom/LockFile.kz\r\nIkarus Trojan-Ransom.Phobos\r\nJiangmin Trojan.Generic.ervnl\r\nK7AntiVirus Trojan ( 0055119f1 )\r\nK7GW Trojan ( 0055119f1 )\r\nKaspersky HEUR:Trojan-Ransom.Win32.Phobos.vho\r\nKingsoft Malware.kb.a.1000\r\nLionic Trojan.Win32.Phobos.j!c\r\nMalwarebytes Generic.Malware.gen.DDS\r\nMaxSecure Trojan.Malware.200479240.susgen\r\nMcAfee Scanner Ti!0B4C74324647\r\nMicrosoft Ransom:Win32/Phobos.PM\r\nNANO-Antivirus Trojan.Win32.Filecoder.himsij\r\nPalo Alto Networks Generic.ml\r\nPanda Trj/Genetic.gen\r\nQuickHeal Ransom.Phobos.S11618290\r\nRising Ransom.Phobos!1.C277 (CLASSIC)\r\nSangfor Engine Zero Ransom.Win32.Phobos_1.se2\r\nSecureAge Malicious\r\nSentinelOne (Static ML) Static AI - Malicious PE\r\nSkyhigh (SWG) BehavesLike.Win32.RansomPhobos.qc\r\nSophos Troj/Phobos-B\r\nSUPERAntiSpyware Trojan.Agent/Gen-Urelas\r\nSymantec Ransom.Phobos\r\nTACHYON Ransom/W32.Dharma.56832\r\nTencent Trojan-Ransom.Win32.Phobos.fa\r\nTrapmine Malicious.moderate.ml.score\r\nTrellix ENS Ransom-Phobos!2C73B0BF6F09\r\nSign in Sign up\r\nWe use cookies and related technologies to remember user preferences, for security, to\r\nanalyse our traffic, and to enable website functionality. Learn more about cookies in our\r\nPrivacy Notice. Ok\r\nhttps://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection\r\nPage 2 of 3\n\nTrendMicro Ransom.Win32.PHOBOS.SMYXCCW\r\nTrendMicro-HouseCall Ransom.Win32.PHOBOS.SMYXCCW\r\nVarist W32/Ransom.NA.gen!Eldorado\r\nVBA32 BScope.Trojan.MulDrop\r\nVIPRE Trojan.Ransom.PHU\r\nVirIT Ransom.Win32.Phobos.GEN\r\nViRobot Trojan.Win32.Ransom.56832.K\r\nWebroot W32.Ransom.Phobos\r\nWithSecure Trojan.TR/Crypt.XPACK.Gen\r\nXcitium Malware@#26cjdfj3dj37o\r\nYandex Trojan.GenAsa!oSQlCZwLKgc\r\nZillya Trojan.Filecoder.Win32.17371\r\nZoneAlarm by Check Point Troj/Phobos-B\r\nBaidu Undetected\r\nCMC Undetected\r\nTEHTRIS Undetected\r\nZoner Undetected\r\nAvast-Mobile Unable to process file type\r\nBitDefenderFalx Unable to process file type\r\nSymantec Mobile Insight Unable to process file type\r\nTrustlook Unable to process file type\r\nSign in Sign up\r\nWe use cookies and related technologies to remember user preferences, for security, to\r\nanalyse our traffic, and to enable website functionality. Learn more about cookies in our\r\nPrivacy Notice. Ok\r\nhttps://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection" ], "report_names": [ "detection" ], "threat_actors": [ { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434048, "ts_updated_at": 1775791965, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c47389646c78714c80abecb366fcae1fccc5b03.pdf", "text": "https://archive.orkl.eu/3c47389646c78714c80abecb366fcae1fccc5b03.txt", "img": "https://archive.orkl.eu/3c47389646c78714c80abecb366fcae1fccc5b03.jpg" } }