MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

frp

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1
SHA3-384 hash:	2369dcb8f97e267a936c04762bcf5168ea3a0d030bdec8aa048a893c8777655ff8f8013a9beabe501343d3b5fcf15cd3
SHA1 hash:	78bc32990a42124d712a0688285b4bbad0194959
MD5 hash:	be24fe7d9f5b3cbb3cd3980b0320460c
humanhash:	winner-oregon-delta-edward
File name:	file
Download:	download sample
Signature	frp Create hunting rule
File size:	18'432 bytes
First seen:	2026-01-20 17:36:23 UTC
Last seen:	2026-01-23 07:51:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b8b034a37970476c0e8791d5941c31e3 (2 x Phorpiex, 1 x frp)
ssdeep	192:LlGSCngTBvUVqtbeGOy6fUrrEwP0D3le6U5KUSfnzQbSP3qc7xmJxTmv8U9cthw+:MIUVKV08gwP0D30in/izav8U9cJ9
Threatray	25 similar samples on MalwareBazaar
TLSH	T1AF826C0FB8424713D1A11074D6224BBBDA79A47633C854EBFBD48ADD16686D2EC3219F
TrID	32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 20.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-phorpiex exe frp

Bitsight

url: http://195.178.136.19/3

Intelligence

File Origin

# of uploads :

162

# of downloads :

133

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1.exe

Verdict:

Malicious activity

Analysis date:

2026-01-20 17:37:58 UTC

Tags:

xor-url ip-check generic

Link:

https://app.any.run/tasks/578d331b-532b-4818-a703-2f66f20efdb4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49531/

Detection(s):

SecuriteInfo.com.Phish-502.UNOFFICIAL

Win.Dropper.Phorpiex-10008698-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696fbd59f3cf908ba506b676

Tags:

phishing dropper smtp remo

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm fingerprint microsoft_visual_cc phorpiex soft-404 xor-url

Link:

https://www.filescan.io/uploads/696fbd55f3c1b7b1fbd86758/reports/063e5203-36c7-49d8-ae26-9642feb11c32/overview

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-20T14:41:00Z UTC

Last seen:

2026-01-22T11:51:00Z UTC

Hits:

~1000

Detections:

Trojan.Win32.Wofith.sb HEUR:Trojan-Dropper.Win32.Phorpiex.gen Trojan-Spy.Agent.SMTP.C&C Trojan-Dropper.Win32.Phorpiex.sb Trojan-Dropper.Dinwod.HTTP.C&C PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1/results?tab=lookup

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6db2b4f-2f0b-4fc3-b2f5-1d17742776c7

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/be24fe7d9f5b3cbb3cd3980b0320460c

Detection:

phorpiex

Link:

https://mwdb.cert.pl/sample/18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1/

Verdict:

Malicious

Threat:

Trojan.Win32.Wofith

Link:

https://tip.neiki.dev/file/18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1

Threat name:

Win32.Worm.Phorpiex

Status:

Malicious

First seen:

2026-01-20 17:37:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dcykg4764y4273aaki4zc52zt4zpjnylz7wmllqkgtmc4qadccqq._file

Verdict:

malicious

Label(s):

phorpiex

frp

48214f32e63f85fe88aff17257a746862d7530bce20b2dfc7a7b942743374a31

frp

553972250e6766defd1125152eef38c0b8024e9ba2d65c5ca83ef1d04a1685eb

frp

6b7c767694aa1cdf7429f364c0c104b32f738203c8c60b5f25a6e2f6a66a71fa

frp

74fcf1e27180d840b8de78ec4cfbb48e5b7a43f13c579c9afbef17fc2b47ac02

frp

error

frp

+ 15 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/260120-v7b6csdv9f/

Behaviour

System Location Discovery: System Language Discovery

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6acd9096-e959-4646-9f7d-7d3ecd094064

Unpacked files

SH256 hash:

18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1

MD5 hash:

be24fe7d9f5b3cbb3cd3980b0320460c

SHA1 hash:

78bc32990a42124d712a0688285b4bbad0194959

Link:

https://www.unpac.me/results/be1e436e-bc45-4d5c-9305-12b43ed7d27b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

frp

exe 18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1

(this sample)

Dropped by

Phorpiex

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/49531/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample