MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 20


Intelligence 20 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c
SHA3-384 hash: e705c057eda5f4e2feaa0e1c7b69be8b665dba471d0ffc7f1edfc57e840248f0b2151dd9bd8a9881b6fb5199293ec97e
SHA1 hash: b384ea034c9a9cfc1bc355b460f31733b18f0b21
MD5 hash: 869e6edba1580088394b324cd41e7dbd
humanhash: hotel-virginia-monkey-jig
File name:file
Download: download sample
Signature Phorpiex
Create hunting rule
File size:88'576 bytes
First seen:2026-02-09 07:06:51 UTC
Last seen:2026-02-10 12:45:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8a17e5a35017900501d8d170aca1571b (2 x Phorpiex)
ssdeep 1536:tKRjxbFmavM2B10yxt9Upp9AkyFA46bxHppK0Xmh:IF2OZ10yFUPqkcA46bdppK0Xmh
Threatray 123 similar samples on MalwareBazaar
TLSH T1BA835B01F1D0917BF8FA81FAD2F74E69582CBFB4134944E35290659B9724AEAFD3102B
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10522/11/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-phorpiex exe Phorpiex


Avatar
Bitsight
url: http://91.92.243.29/bnoda

Intelligence

File Origin
# of uploads :
4
# of downloads :
154
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ee37f8e0-bd2a-4df5-b71b-36c7a964cf0b/
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
_2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c.exe
Verdict:
Malicious activity
Analysis date:
2026-02-09 07:07:52 UTC
Tags:
auto-reg phorpiex botnet
Link:
https://app.any.run/tasks/708ec38a-8baf-4c6c-9a4e-bd6f7902f7d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Phorpiex
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52724/
Detection(s):
SecuriteInfo.com.DLOADER.Trojan.16362.468.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698987a442fd65534ccdc876
Tags:
downloader dropper remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file
Deleting a recently created file
Replacing files
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Changing an executable file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Infecting executable files
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto explorer fingerprint lolbin microsoft_visual_cc phorpiex
Link:
https://www.filescan.io/uploads/698987a1981ff1d38a4dd399/reports/2a351ec3-3acc-4390-9e94-74194c3989de/overview
Verdict:
Malicious
Labled as:
Dacic.6194.Generic
Link:
https://www.hybrid-analysis.com/sample/2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-09T04:16:00Z UTC
Last seen:
2026-02-11T05:29:00Z UTC
Hits:
~1000
Detections:
Trojan.Agentb.UDP.C&C BSS:Trojan.Win32.Generic Trojan-Dropper.Win32.Dorifel.sbc Trojan-PSW.PureLogs.TCP.C&C Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Zonidel.sb Trojan.Win32.Agent.sb HEUR:Worm.Win32.Generic HEUR:Trojan-Banker.Win32.Phorpiex.gen HEUR:Trojan.Win32.Agent.gen HEUR:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c/results?tab=lookup
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36127ebf-a4a4-4581-bdae-eebde68a49c6
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/869e6edba1580088394b324cd41e7dbd
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c/
Verdict:
Malicious
Threat:
Family.PHORPIEX
Link:
https://tip.neiki.dev/file/2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2026-02-09 07:07:25 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2etkyqrjzp27imv7me6bwzsh5ged5vde4mw7gh4zx7ldduipzwa._file
Verdict:
malicious
Label(s):
phorpiex
Create hunting rule
Similar samples:
02816012e5b60a4dd35390137f9bceb33752abd5a4cd5ec5794bdd3ffb7899c5
Phorpiex
2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c
Phorpiex
586a29bab56e5d7be8b7a783256b0458a4eca167c7d519fdbc8467ba2331e7e8
Phorpiex
6b7c767694aa1cdf7429f364c0c104b32f738203c8c60b5f25a6e2f6a66a71fa
Phorpiex
8453680ece59a11f642425f5670f7a8686cf502e27e0dc34f06bebdd483a9272
Phorpiex
error
Phorpiex
+ 113 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex discovery loader persistence trojan worm
Link:
https://tria.ge/reports/260209-hxp81se13g/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Phorphiex family
Phorphiex payload
Phorphiex, Phorpiex
Malware Config
C2 Extraction:
http://178.16.54.109/
http://91.92.243.29/
Unpacked files
SH256 hash:
2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c
MD5 hash:
869e6edba1580088394b324cd41e7dbd
SHA1 hash:
b384ea034c9a9cfc1bc355b460f31733b18f0b21
Link:
https://www.unpac.me/results/eb23a328-0139-4be5-87e5-bfebe6e6490d/
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e893562114e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c

(this sample)

  
Dropped by
Phorpiex
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/52724/

Comments