MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phorpiex

Vendor detections: 14

Intelligence 14 IOCs YARA 18 File information Comments

SHA256 hash:	0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f
SHA3-384 hash:	0acea216428e4453eb75846acdaeb9b93ca4d533cd4f50dda710c63a95ea0a3f5c467cf6f443756ec65e4d04f4563b1e
SHA1 hash:	7c46db058fce4cc755fd101956a51b95d13bdbaa
MD5 hash:	2e793d675f43982b073ca9151b0c6ffa
humanhash:	jupiter-charlie-aspen-montana
File name:	DlQdq.exe
Download:	download sample
Signature	Phorpiex Create hunting rule
File size:	3'109'504 bytes
First seen:	2026-05-13 02:18:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1aae8bf580c846f39c71c05898e57e88 (200 x LummaStealer, 60 x SalatStealer, 18 x ValleyRAT)
ssdeep	49152:98lZH+qdxYJZ2LOgwT+L9GVuf0CA/torfEKLbQHV+:+l+qTYj2NwaU/8ErHg
Threatray	95 similar samples on MalwareBazaar
TLSH	T11EE51701FEC680F6D5425E3100BFB72F9B34690A8B354AABDEA07D5DF876B51683264C
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	1862d098f8e625d2 (1 x LummaStealer, 1 x Phorpiex)
Reporter	aachum
Tags:	dropped-by-Remus exe fiinterchillers-com Phorpiex signed

Code Signing Certificate

Organisation:	112bhv.nl
Issuer:	WE1
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-04-06T12:41:17Z
Valid to:	2026-07-05T13:41:08Z
Serial number:	61e4758e1274d0a70eaf33fab8518f3c
Intelligence:	13 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	372843fa8d4fb49ace680de324a779ac1516a1e057ee02309967af59802ae601
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

iamaachum

https://fiinterchillers.com/wp-content/uploads/DlQdq.exe

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

exe

Verdict:

Malicious activity

Analysis date:

2026-05-13 02:24:09 UTC

Tags:

raccoonclipper golang

Link:

https://app.any.run/tasks/de6ff906-ba49-443e-924e-0aa8f6e9622a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/65779/

Detection(s):

SecuriteInfo.com.W32.ABTrojan.PWGE-3804.21591.10996.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a03df6caa2b27a55c89cc74

Tags:

injection virus sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-vm evasive expand golang lolbin signed vidar

Link:

https://www.filescan.io/uploads/6a03df6cdf14f1cb2ad312ee/reports/6a9b1fa9-7565-419d-b452-38a2a53ab4b9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-12T03:04:00Z UTC

Last seen:

2026-05-15T00:03:00Z UTC

Hits:

~100

Detections:

BSS:Trojan.Win32.Generic Backdoor.Win64.Gsb.avh Backdoor.Win32.Gsb.sb VHO:Backdoor.Win64.Gsb.gen PDM:Trojan.Win32.Tasker.cust

Link:

https://opentip.kaspersky.com/0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f/results?tab=lookup

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac288ecb-355d-41aa-a4df-9124e97033e2

Result

Threat name:

Clipboard Hijacker

Detection:

malicious

Classification:

spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1912618

Signature

AI detected suspicious PE digital signature

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Unusual module load detection (module proxying)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Clipboard Hijacker

Behaviour

Behavior Graph:

Download SVG

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/2e793d675f43982b073ca9151b0c6ffa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f/

Verdict:

Malicious

Threat:

VHO:Backdoor.Win64.Gsb

Link:

https://tip.neiki.dev/file/0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-05-12 20:42:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=agb5lagah4guxfuy6q2zn7austgc3xlzj734mn325qakns3fknpq._file

Verdict:

malicious

Label(s):

unc_clipper

Phorpiex

74be7ab8e67082872207557db9fa87d19e6887c4496576206d8270a2c22536bd

Phorpiex

87671869a34ebae368c85a54310a826a5e1c887cc20888b76efd025e66f4485e

Phorpiex

88081f66ba8c0a2b9ef60c2b5d63f95f69bdf99555cb3f60f8ff23b40928d4d8

Phorpiex

97cc51baae950c680b213219d19cd6425446d2be6a595a878dfcdb321fdc4102

Phorpiex

9ee405806b03eb07ea76d170c8258d0602ee04b51c365560c542ecc7ff728d25

Phorpiex

a426c2090b8c2777661236aa54ce8eb143af9cc4c1aa8aa11261c6758a970921

Phorpiex

error

Phorpiex

f57c97c179d60db4d64c83ad25dab7b0b08474cd7191640631f88e4ebc4434c1

Phorpiex

+ 85 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution persistence

Link:

https://tria.ge/reports/260513-crfjqsf19q/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Executes dropped EXE

Unpacked files

SH256 hash:

0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f

MD5 hash:

2e793d675f43982b073ca9151b0c6ffa

SHA1 hash:

7c46db058fce4cc755fd101956a51b95d13bdbaa

Link:

https://www.unpac.me/results/e0433cd8-79ec-4faa-a759-3887f5e4cf77/

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0183d580c03f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.08

Link:

https://yomi.yoroi.company/submissions/0183d580c03f0d4b9698f43596fc1494cc2ddd794ff7c6377aec00a6cb65535f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/