MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c
SHA3-384 hash: a10bd709306d32a17fffb31fa8ce358db3247a777d1b17676536349ef1c38a5c450d87972033fd7a8efad01df0cc810b
SHA1 hash: eed1a50a4818890cb4c474792f8ad0258ab115a8
MD5 hash: 5c4dad0f397077e5e9cc55febfc096bd
humanhash: coffee-hot-utah-angel
File name:LCrypt0rX.vbs
Download: download sample
Signature Phorpiex
Create hunting rule
File size:26'174 bytes
First seen:2025-03-22 04:13:02 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:y8enbIbpBStxYUQHSH7l+ix/J/b6GvPpSy+tNywUTZEC:inucJb6UAUqC
TLSH T1C5C295069D1BC966D4F6E39166A6EC0ED7B1F2A768718E1436CCC8809F36F8C45E40DE
Magika vba
Reporter Anonymous
Tags:LCRYX Phorpiex vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
PH PH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67de39e6518d210202e7d864
Tags:
ransomware trojan virus spam
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm notepad persistence powershell
Link:
https://www.filescan.io/uploads/67de38d3e05c48ec61e5eb51/reports/741ee270-d794-45cb-a5fd-293854b330f8/overview
Verdict:
Malicious
Labled as:
Ransom.Python.O.Generic
Link:
https://www.hybrid-analysis.com/sample/12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c
Result
Verdict:
MALICIOUS
Result
Threat name:
Chaos, LCRYX, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645671
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the wallpaper picture
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates files inside the volume driver (system volume information)
Creates multiple autostart registry keys
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected Stratum mining protocol
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables UAC (registry)
Disables Windows Defender (via service or powershell)
Found Tor onion address
Loading BitLocker PowerShell Module
May disable shadow drive data (uses vssadmin)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries Google from non browser process on port 80
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes a notice file (html or txt) to demand a ransom
Wscript starts Powershell (via cmd or directly)
Yara detected Chaos Ransomware
Yara detected Generic Ransomware
Yara detected LCRYX Ransomware
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645671 Sample: LCrypt0rX.vbs Startdate: 22/03/2025 Architecture: WINDOWS Score: 100 96 twizt.net 2->96 98 cajgtus.com 2->98 100 56 other IPs or domains 2->100 124 Suricata IDS alerts for network traffic 2->124 126 Antivirus detection for URL or domain 2->126 128 Antivirus detection for dropped file 2->128 130 17 other signatures 2->130 15 wscript.exe 1 2->15         started        18 wbengine.exe 3 2->18         started        20 svchost.exe 2->20         started        22 11 other processes 2->22 signatures3 process4 dnsIp5 144 Benign windows process drops PE files 15->144 146 VBScript performs obfuscated calls to suspicious functions 15->146 148 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->148 154 10 other signatures 15->154 25 wscript.exe 26 41 15->25         started        150 Creates files inside the volume driver (system volume information) 18->150 152 Changes security center settings (notifications, updates, antivirus, firewall) 20->152 102 127.0.0.1 unknown unknown 22->102 30 Conhost.exe 22->30         started        signatures6 process7 dnsIp8 104 twizt.net 185.215.113.66, 50068, 50070, 50117 WHOLESALECONNECTIONSNL Portugal 25->104 106 185.215.113.84, 50029, 80 WHOLESALECONNECTIONSNL Portugal 25->106 108 8 other IPs or domains 25->108 88 C:\Windows\pei.exe, PE32 25->88 dropped 90 C:\Users\user\AppData\Local\...\pei[1].exe, PE32 25->90 dropped 92 C:\Windows\advapi32_ext.vbs, ASCII 25->92 dropped 94 5 other malicious files 25->94 dropped 134 System process connects to network (likely due to code injection or exploit) 25->134 136 Wscript starts Powershell (via cmd or directly) 25->136 138 Creates an undocumented autostart registry key 25->138 142 19 other signatures 25->142 32 cmd.exe 1 25->32         started        35 cmd.exe 1 25->35         started        37 wscript.exe 25->37         started        39 7 other processes 25->39 file9 140 Detected Stratum mining protocol 104->140 signatures10 process11 signatures12 110 May disable shadow drive data (uses vssadmin) 32->110 112 Deletes shadow drive data (may be related to ransomware) 32->112 41 vssadmin.exe 1 32->41         started        44 conhost.exe 32->44         started        114 Deletes the backup plan of Windows 35->114 46 conhost.exe 35->46         started        116 Wscript starts Powershell (via cmd or directly) 37->116 118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->118 48 taskkill.exe 37->48         started        56 9 other processes 37->56 120 Found Tor onion address 39->120 122 Loading BitLocker PowerShell Module 39->122 50 wscript.exe 39->50         started        52 cmd.exe 39->52         started        54 cmd.exe 39->54         started        58 9 other processes 39->58 process13 signatures14 132 Deletes shadow drive data (may be related to ransomware) 41->132 60 conhost.exe 48->60         started        62 wscript.exe 50->62         started        64 conhost.exe 52->64         started        66 conhost.exe 54->66         started        68 conhost.exe 56->68         started        70 conhost.exe 56->70         started        72 conhost.exe 56->72         started        76 6 other processes 56->76 74 conhost.exe 58->74         started        process15 process16 78 wscript.exe 62->78         started        process17 80 wscript.exe 78->80         started        process18 82 wscript.exe 80->82         started        process19 84 wscript.exe 82->84         started        process20 86 wscript.exe 84->86         started       
Score:
24%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c/
Threat name:
Win32.Trojan.Genasep
Create hunting rule
Status:
Malicious
First seen:
2025-03-22 04:13:10 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckex4lre6gszz4egkx6le5gaq5d66vilcz2b4yygucupssxpzooa._file
Verdict:
malicious
Label(s):
genericransomware
Create hunting rule
Similar samples:
error
Phorpiex
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex defense_evasion discovery execution impact loader persistence ransomware trojan worm
Link:
https://tria.ge/reports/250322-es5lcsxxc1/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Interacts with shadow copies
Kills process with taskkill
Modifies Control Panel
Modifies registry class
Opens file in notepad (likely ransom note)
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks whether UAC is enabled
Command and Scripting Interpreter: PowerShell
Indicator Removal: Clear Persistence
Checks computer location settings
Blocklisted process makes network request
Blocks application from running via registry modification
Creates new service(s)
Deletes backup catalog
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Event Triggered Execution: Image File Execution Options Injection
Stops running service(s)
Deletes shadow copies
Modifies WinLogon for persistence
Phorphiex family
Phorphiex payload
Phorphiex, Phorpiex
UAC bypass
Malware Config
C2 Extraction:
http://185.215.113.66/
http://45.93.20.18/
http://185.215.113.66
http://45.93.20.18
185.215.113.66
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12897e2e24f1a59cf08655fcb274c08747ef550b16741e6306a0a8f94aefcb9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:Detects command variations typically used by ransomware
Rule name:kill_explorer
Create hunting rule
Author:iam-py-test
Description:Detect files killing explorer.exe
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Multiple

Comments