MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783
SHA3-384 hash: 658f9beca3a1ac7812bb5650ad8876658e4b23cfd250028e7b93143d44e39ae594e2fba2e00a5d73363d64f243e6059e
SHA1 hash: 49d48d747cfbe8310161600d2ae8c7a01f7c74cd
MD5 hash: bdc0968a6b40243c3b54fe554fa7567b
humanhash: quiet-kilo-fillet-uranus
File name:bdc0968a6b40243c3b54fe554fa7567b.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:69'288 bytes
First seen:2020-11-28 10:17:22 UTC
Last seen:2020-11-28 11:48:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fbecc3bacdedc1f5048fb3fc99ff4ac6 (1 x Phorpiex, 1 x Worm.m0yv)
ssdeep 1536:pdgY9pPMc4AtQbmwUr94rAymbThOM+GWPzs4:vPk1UmrNmbFOM+GWQ
Threatray 20 similar samples on MalwareBazaar
TLSH EF631901B785913AF8F305F18BBA5569552DFEB2078960CB63C45E4E6AF0AE1BD30363
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105893/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Sending an HTTP GET request
Creating a file
Enabling the 'hidden' option for recently created files
Searching for the window
Searching for many windows
Deleting a recently created file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Phorpiex Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550005
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324112 Sample: y7ddF1vGqA.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 90 wdkowdohwodhfhfg.to 2->90 92 gaueudbuwdbuguug.to 2->92 94 11 other IPs or domains 2->94 142 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 Antivirus detection for dropped file 2->146 150 13 other signatures 2->150 12 y7ddF1vGqA.exe 16 2->12         started        17 svchost.exe 14 2->17         started        19 svchost.exe 13 2->19         started        21 10 other processes 2->21 signatures3 148 Tries to resolve many domain names, but no domain seems valid 92->148 process4 dnsIp5 104 worm.ws 217.8.117.10, 49716, 49726, 49727 CREXFEXPEX-RUSSIARU Russian Federation 12->104 106 tldrnet.top 12->106 74 C:\Users\user\AppData\Local\Temp\D673.exe, PE32 12->74 dropped 76 C:\Users\user\AppData\Local\...\32[1].exe, PE32 12->76 dropped 166 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->166 23 D673.exe 2 16 12->23         started        108 api.wipmania.com 17->108 110 192.168.2.1 unknown unknown 17->110 112 api.wipmania.com 19->112 114 api.wipmania.com 21->114 116 127.0.0.1 unknown unknown 21->116 28 MpCmdRun.exe 21->28         started        file6 168 Detected Stratum mining protocol 104->168 signatures7 process8 dnsIp9 100 api.wipmania.com 212.83.168.196, 49719, 49725, 49728 OnlineSASFR France 23->100 72 C:\28385667311123\svchost.exe, PE32 23->72 dropped 158 Antivirus detection for dropped file 23->158 160 Multi AV Scanner detection for dropped file 23->160 162 Machine Learning detection for dropped file 23->162 164 2 other signatures 23->164 30 svchost.exe 7 20 23->30         started        35 conhost.exe 28->35         started        file10 signatures11 process12 dnsIp13 126 wduufbaueeubffgg.to 30->126 128 okdoekeoehghaoeg.to 30->128 130 25 other IPs or domains 30->130 86 C:\Users\user\AppData\...\1607910050.exe, data 30->86 dropped 88 C:\Users\user\AppData\...\1101510793.exe, data 30->88 dropped 132 Antivirus detection for dropped file 30->132 134 Multi AV Scanner detection for dropped file 30->134 136 Changes security center settings (notifications, updates, antivirus, firewall) 30->136 140 2 other signatures 30->140 37 1101510793.exe 15 30->37         started        41 1607910050.exe 15 30->41         started        file14 138 Tries to resolve many domain names, but no domain seems valid 128->138 signatures15 process16 dnsIp17 66 C:\Users\user\AppData\Local\Temp\15080.exe, PE32 37->66 dropped 68 C:\Users\user\AppData\Local\...\xmrmin[1].exe, PE32 37->68 dropped 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->154 44 15080.exe 37->44         started        102 api.wipmania.com 41->102 70 C:\25009250732421\svchost.exe, PE32 41->70 dropped 156 Drops PE files with benign system names 41->156 49 svchost.exe 41->49         started        file18 signatures19 process20 dnsIp21 118 worm.top 44->118 78 C:\ProgramData\PnQssBdbSh\winsysdrv, PE32 44->78 dropped 170 Antivirus detection for dropped file 44->170 172 Multi AV Scanner detection for dropped file 44->172 174 Detected unpacking (changes PE section rights) 44->174 182 5 other signatures 44->182 51 notepad.exe 44->51         started        55 cmd.exe 44->55         started        120 worm.ws 49->120 122 wduufbaueeubffgk.ws 49->122 124 11 other IPs or domains 49->124 80 C:\Users\user\AppData\...\2791612204.exe, data 49->80 dropped 82 C:\Users\user\AppData\...\1182110519.exe, data 49->82 dropped 176 System process connects to network (likely due to code injection or exploit) 49->176 178 Machine Learning detection for dropped file 49->178 180 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->180 57 1182110519.exe 49->57         started        59 2791612204.exe 49->59         started        file22 signatures23 process24 dnsIp25 96 worm.ws 51->96 152 System process connects to network (likely due to code injection or exploit) 51->152 61 wscript.exe 55->61         started        64 conhost.exe 55->64         started        98 api.wipmania.com 57->98 signatures26 process27 file28 84 C:\Users\user\AppData\...\ulZYCdTsml.url, MS 61->84 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783/
Threat name:
Win32.Downloader.SmallAgent
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 02:46:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=agz5vacrpcdpboiqemuu3jv6q7wejxmh5lodtoiudfipyvhzm6bq._file
Verdict:
malicious
Similar samples:
251960c51a68122710e9f928d7ea49ea52573f6e9af906e47ce91cfd518e39a7
Phorpiex
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
Phorpiex
4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
Phorpiex
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
Phorpiex
64cc82160edccda2bfd82d92b429ea0f98dcda9659a5c757b2748119847f5532
Phorpiex
7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858
Phorpiex
cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da
Phorpiex
d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070
Phorpiex
e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
Phorpiex
e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63
Phorpiex
+ 10 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex family:xmrig evasion loader miner persistence trojan upx worm
Link:
https://tria.ge/reports/201128-3wsgzw9sva/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Drops startup file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
Phorphiex Payload
Phorphiex Worm
Windows security bypass
xmrig
Unpacked files
SH256 hash:
01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783
MD5 hash:
bdc0968a6b40243c3b54fe554fa7567b
SHA1 hash:
49d48d747cfbe8310161600d2ae8c7a01f7c74cd
Link:
https://www.unpac.me/results/83b3d140-6c78-4296-9129-ab31467b2515/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105893/

Comments