MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
SHA3-384 hash: ebe7d09bb9101ac2002cff0d127f029f7c96a7aa953ede38c4556c6d2637595d628753cb26c354a18543a5bd2fcd32f8
SHA1 hash: eee45da538bec32eb1d9a9e85dd343fc7f29c185
MD5 hash: ad83666a85d2cddceb0ee86c2d8cc621
humanhash: shade-steak-blue-stream
File name:28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
Download: download sample
Signature Phorpiex
Create hunting rule
File size:1'292'392 bytes
First seen:2024-10-16 11:57:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f8e2c15d10c2909b624cf7099f414556 (1 x Phorpiex)
ssdeep 24576:D/Xwpqsm3V6Hv9WVrIskLlSQ/lt4xP0DRkOhiVGa:+JmF6Hv9WjkLlSQ/ltSVGa
Threatray 70 similar samples on MalwareBazaar
TLSH T151558E207A95C236F1A301B8ADFDA75E502DBD55076644CBE3C03E1E2971AC22E3776B
TrID 57.4% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon d4968692929686d4 (1 x Phorpiex)
Reporter JAMESWT_WT
Tags:114-114-114-114 exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
Verdict:
Malicious activity
Analysis date:
2024-10-16 12:00:04 UTC
Tags:
loader phorpiex
Link:
https://app.any.run/tasks/2ac2ee7e-303e-4416-8835-6e6c3d2cb6e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670faa4c707bcd8537fbfcef
Tags:
Powershell Phorpiex Gandcrab Spam
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer gandcrab lolbin microsoft_visual_cc obfuscated overlay shell32 stealer virus zero
Link:
https://www.filescan.io/uploads/670faa4b1433d889a943423e/reports/635d2dda-f2aa-4231-b637-24cbcb9b2fe9/overview
Verdict:
Malicious
Labled as:
Ransom.GandCrab.Generic
Link:
https://www.hybrid-analysis.com/sample/28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fa05429-54b1-4274-bb08-cab1e1ba6f8a
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1535028
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop multiple services
Stops critical windows services
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1535028 Sample: dgiX55cHyU.exe Startdate: 16/10/2024 Architecture: WINDOWS Score: 100 117 twizthash.net 2->117 119 twizt.net 2->119 131 Suricata IDS alerts for network traffic 2->131 133 Found malware configuration 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 16 other signatures 2->137 12 dgiX55cHyU.exe 20 2->12         started        17 winupsecvmgr.exe 2->17         started        19 svchost.exe 2->19         started        21 10 other processes 2->21 signatures3 process4 dnsIp5 123 twizthash.net 185.215.113.66, 49700, 49707, 49762 WHOLESALECONNECTIONSNL Portugal 12->123 99 C:\Users\user\AppData\Local\Temp\1B65.exe, PE32 12->99 dropped 101 C:\Users\user\AppData\Local\...\pei[1].exe, PE32 12->101 dropped 169 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->169 23 1B65.exe 16 12->23         started        103 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 17->103 dropped 105 C:\Users\user\AppData\...\jacrzswcvuml.tmp, PE32+ 17->105 dropped 171 Suspicious powershell command line found 17->171 173 Found strings related to Crypto-Mining 17->173 175 Writes to foreign memory regions 17->175 187 3 other signatures 17->187 27 conhost.exe 17->27         started        29 dwm.exe 17->29         started        177 Changes security center settings (notifications, updates, antivirus, firewall) 19->177 31 MpCmdRun.exe 19->31         started        179 Query firmware table information (likely to detect VMs) 21->179 181 Loading BitLocker PowerShell Module 21->181 183 Found direct / indirect Syscall (likely to bypass EDR) 21->183 33 conhost.exe 21->33         started        35 conhost.exe 21->35         started        37 conhost.exe 21->37         started        file6 185 Detected Stratum mining protocol 123->185 signatures7 process8 file9 93 C:\Users\user\AppData\Local\...\141333551.exe, PE32 23->93 dropped 95 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 23->95 dropped 149 Antivirus detection for dropped file 23->149 151 Multi AV Scanner detection for dropped file 23->151 153 Machine Learning detection for dropped file 23->153 155 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->155 39 141333551.exe 1 1 23->39         started        157 Suspicious powershell command line found 27->157 159 Query firmware table information (likely to detect VMs) 29->159 43 conhost.exe 31->43         started        signatures10 process11 file12 97 C:\Windows\sysppvrdnvs.exe, PE32 39->97 dropped 161 Antivirus detection for dropped file 39->161 163 Multi AV Scanner detection for dropped file 39->163 165 Found evasive API chain (may stop execution after checking mutex) 39->165 167 5 other signatures 39->167 45 sysppvrdnvs.exe 10 42 39->45         started        signatures13 process14 dnsIp15 125 129.122.185.117, 40500 ZAP-AngolaAO Angola 45->125 127 198.163.203.123, 40500 WINDSTREAMUS United States 45->127 129 36 other IPs or domains 45->129 109 C:\Users\user\AppData\Local\...\887515868.exe, PE32+ 45->109 dropped 111 C:\Users\user\AppData\...\3219610296.exe, PE32 45->111 dropped 113 C:\Users\user\AppData\...\1562414254.exe, PE32 45->113 dropped 115 4 other malicious files 45->115 dropped 201 Antivirus detection for dropped file 45->201 203 Multi AV Scanner detection for dropped file 45->203 205 Found evasive API chain (may stop execution after checking mutex) 45->205 207 5 other signatures 45->207 50 1562414254.exe 45->50         started        55 887515868.exe 2 45->55         started        57 cmd.exe 1 45->57         started        59 2 other processes 45->59 file16 signatures17 process18 dnsIp19 121 185.215.113.84, 49983, 80 WHOLESALECONNECTIONSNL Portugal 50->121 89 C:\Users\user\AppData\...\3020010345.exe, PE32+ 50->89 dropped 91 C:\Users\user\AppData\Local\...\nxmr[1].exe, PE32+ 50->91 dropped 139 Multi AV Scanner detection for dropped file 50->139 141 Machine Learning detection for dropped file 50->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->143 61 3020010345.exe 50->61         started        65 cmd.exe 55->65         started        67 cmd.exe 55->67         started        145 Adds a directory exclusion to Windows Defender 57->145 147 Stops critical windows services 57->147 69 powershell.exe 23 57->69         started        71 conhost.exe 57->71         started        73 conhost.exe 59->73         started        75 sc.exe 1 59->75         started        77 sc.exe 1 59->77         started        79 3 other processes 59->79 file20 signatures21 process22 file23 107 C:\Users\user\...\winupsecvmgr.exe, PE32+ 61->107 dropped 189 Antivirus detection for dropped file 61->189 191 Multi AV Scanner detection for dropped file 61->191 193 Suspicious powershell command line found 61->193 199 2 other signatures 61->199 195 Uses schtasks.exe or at.exe to add and modify task schedules 65->195 81 conhost.exe 65->81         started        83 reg.exe 65->83         started        85 conhost.exe 67->85         started        87 schtasks.exe 67->87         started        197 Loading BitLocker PowerShell Module 69->197 signatures24 process25
Score:
22%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2024-10-15 15:22:11 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fadiz3p4pq7dkfxdt6i24kc76325eylqxy2m22phb7r7k5pcao7q._file
Verdict:
malicious
Label(s):
phorpiex
Create hunting rule
phorpiex_netbios_worm_module
Create hunting rule
phorpiex_tldr
Create hunting rule
Similar samples:
28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
Phorpiex
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
Phorpiex
4bf40544a1ffc64b6b26b5f24d8f624b7260cc40b34566b3463cae817bf7b612
Phorpiex
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
Phorpiex
8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a
Phorpiex
error
Phorpiex
+ 60 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex discovery evasion execution loader persistence trojan worm
Link:
https://tria.ge/reports/241016-n46ggaxhpb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stops running service(s)
Modifies security service
Phorphiex payload
Phorphiex, Phorpiex
Windows security bypass
Malware Config
C2 Extraction:
http://185.215.113.66/
http://91.202.233.141/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eac01db0-56e1-441c-8cc8-d300f1f72ca7
Unpacked files
SH256 hash:
28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
MD5 hash:
ad83666a85d2cddceb0ee86c2d8cc621
SHA1 hash:
eee45da538bec32eb1d9a9e85dd343fc7f29c185
Link:
https://www.unpac.me/results/4e9b9283-e8d0-46bf-b9a6-9c62add38e03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipDeleteBrush
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::DuplicateTokenEx
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
MSVCR120.dll::__crtTerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExW
USER32.dll::CreateWindowExW

Comments