MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228
SHA3-384 hash: f6aae95bb660c7ca2a641ab9ea6f2a16f93b4a30f9ebed12cca07df33417200c36b94f3c10deeed156a5db97f84a62c9
SHA1 hash: 28a5df66c1b6cc6b1181a3344edf7df0bb6fa246
MD5 hash: 5381689d4c9a0ce9d0f67dd8485188d2
humanhash: pluto-early-table-oxygen
File name:5381689d4c9a0ce9d0f67dd8485188d2
Download: download sample
Signature Phorpiex
Create hunting rule
File size:11'776 bytes
First seen:2024-08-04 12:50:10 UTC
Last seen:2024-08-04 15:15:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 38ca2cef077b08d131c2be3bfd70789c (3 x Phorpiex)
ssdeep 192:3p94aeZmoVfBLMhegdZJJfxMLkWScZqYSi/HX:3p94iQYgOZTxMQWSc9
Threatray 8 similar samples on MalwareBazaar
TLSH T138320A0BBD905532FBE009B049BB914B8AFC2AA327D1A89FF780B50A1971360C56136F
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe Phorpiex

Intelligence

File Origin
# of uploads :
3
# of downloads :
352
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
5381689d4c9a0ce9d0f67dd8485188d2
Verdict:
Malicious activity
Analysis date:
2024-08-04 12:52:59 UTC
Tags:
phorpiex
Link:
https://app.any.run/tasks/349110a7-6160-40dd-8dad-d0076a1e93ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66af793bb7a04efc7439d724
Tags:
Generic Infostealer Network Stealth Trojan Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request to an infection source
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc lolbin microsoft_visual_cc phorpiex shell32
Link:
https://www.filescan.io/uploads/66af7938e7dbbbdfcd08ec7d/reports/40174830-6aec-4f51-b3f5-e42933d9a9ac/overview
Verdict:
Malicious
Labled as:
Dropper.Generic.Malware.S
Link:
https://www.hybrid-analysis.com/sample/3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe183cba-7c20-4f98-bfd3-4921997f2c63
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1487526
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-08-04 12:51:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbqojpd2gxkswqmtwjll25xgfwmotuc6kbheq4nfmwc6uvrjkiua._file
Verdict:
malicious
Similar samples:
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
Phorpiex
3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228
Phorpiex
7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0
Phorpiex
82d16b1428721a69501776eb26e14ecf76fe6e82a1d19c5fae6705a1cc0a4319
Phorpiex
c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4
Phorpiex
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240804-p3g8xsvhpj/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e044436-66ce-43c3-8b8e-8028db6af853
Unpacked files
SH256 hash:
3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228
MD5 hash:
5381689d4c9a0ce9d0f67dd8485188d2
SHA1 hash:
28a5df66c1b6cc6b1181a3344edf7df0bb6fa246
Link:
https://www.unpac.me/results/b99c9186-aecd-41b9-987d-f5334b0447b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3088175/
  
URLhaus
https://urlhaus.abuse.ch/url/3088176/
  
URLhaus
https://urlhaus.abuse.ch/url/3088177/
  
URLhaus
https://urlhaus.abuse.ch/url/3088193/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegSetValueExW

Comments


Avatar
zbet commented on 2024-08-04 12:50:11 UTC

url : hxxp://185.215.113.8/v.exe