MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87
SHA3-384 hash: d6bc1a776195b7c0046638ba58ebde3a9c606a23e6605799eb34ef1736844c2ffcccde6f8801e5b3e5cc461d29866176
SHA1 hash: 780ae4c128691bbbc580f8eaf2ebf15763b71e52
MD5 hash: d56881c9efd4fde5babaea7b074b4b2b
humanhash: pluto-bluebird-oxygen-fix
File name:file
Download: download sample
Signature Phorpiex
Create hunting rule
File size:8'704 bytes
First seen:2026-03-12 21:12:22 UTC
Last seen:2026-03-20 21:49:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b2f31160a5382dbf07d030ba66e1330 (1 x Smoke Loader, 1 x Phorpiex)
ssdeep 96:kDKI0grGCJBjOBdiGDFLZ+t8bb8PFJxGE9mK2FFhSC7tCEuZC:pBgrvJBjIZ+m8PFJxT4KmFhvuM
Threatray 141 similar samples on MalwareBazaar
TLSH T1E002190B7E4681B1D3D80DF012F58B8E8A7D45632BC2A1FBF7B3C5590FA4650E0526AA
TrID 39.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
21.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.3% (.EXE) Win64 Executable (generic) (6522/11/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-phorpiex exe Phorpiex


Avatar
Bitsight
url: http://178.16.54.109/newtpp.exe

Intelligence

File Origin
# of uploads :
755
# of downloads :
204
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-03-12 21:15:27 UTC
Tags:
loader auto-reg botnet phorpiex xor-url generic ip-check
Link:
https://app.any.run/tasks/6f8883fd-030e-4908-b0e9-2f892655bff7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57259/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.15234987.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b32c3f9872190419bfc3d7
Tags:
downloader phishing dropper trojan
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypto explorer fingerprint lolbin microsoft_visual_cc phorpiex
Link:
https://www.filescan.io/uploads/69b32c3d2000fc76c3d7d104/reports/8f52ce9a-0d51-419c-9f2c-4bd571f5fd20/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan-Banker.Win32.Phorpiex.gen HEUR:Trojan.Win32.Agent.gen Trojan.Agentb.UDP.C&C PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Dorifel.sbc Trojan-Banker.Win32.ClipBanker.sb HEUR:Worm.Win32.Generic Trojan.Win32.Zonidel.sb Trojan.Win32.Agent.sb HEUR:Virus.Win32.Zeropi.gen HEUR:Trojan-Downloader.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0ae62c44-a863-4bc6-8618-3a1168040972
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87
Gathering data
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87/
Verdict:
Malicious
Threat:
Family.PHORPIEX
Link:
https://tip.neiki.dev/file/0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2026-03-12 21:13:25 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpttxzg54rymwt5zxl6fmbgrficexzjil6qqvxh2tn2c4sbqrsdq._file
Verdict:
malicious
Label(s):
phorpiex
Create hunting rule
Similar samples:
0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87
Phorpiex
5ee7c0fb726d43c3fec9c254a88240d9a032b2451ef39acb28a7f5aec36d86c9
Phorpiex
98e5fdce85ab8e17472f95eecb4c22f08a28933828e0afd0b5db831fe222e373
Phorpiex
ad9cd916566c52d3045fea0120900a9f2f460a4bfbc01d0bac236f3cc9344739
Phorpiex
error
Phorpiex
+ 131 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex family:xmrig discovery loader miner persistence spyware stealer trojan worm
Link:
https://tria.ge/reports/260312-z2efrab13w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
Phorphiex family
Phorphiex, Phorpiex
XMRig Miner payload
Xmrig family
xmrig
Malware Config
C2 Extraction:
178.16.54.109
http://158.94.211.162
Unpacked files
SH256 hash:
0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87
MD5 hash:
d56881c9efd4fde5babaea7b074b4b2b
SHA1 hash:
780ae4c128691bbbc580f8eaf2ebf15763b71e52
Link:
https://www.unpac.me/results/6e91e0e2-7404-49d9-a2ac-cbc553097dad/
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0be73be4dde4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 0be73be4dde470cb4fb9bafc5604d12a044be5285fa10adcfa9b742e48308c87

(this sample)

  
Dropped by
Phorpiex
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57259/
  
URLhaus
https://urlhaus.abuse.ch/url/3688690/

Comments