MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
SHA3-384 hash: 1e66e172eb147ec7ed69b0fc3069eefbc202d19a21b7928fb3b3c3786802c46f631dcc57326d70fa1a917b364d19a05f
SHA1 hash: cc01dca2c5a9cabcd1d9820fb986fe923b95cef5
MD5 hash: 351734ffa17ae8fa5f5d3fc7deaf26c2
humanhash: connecticut-skylark-pasta-muppet
File name:351734ffa17ae8fa5f5d3fc7deaf26c2.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:27'648 bytes
First seen:2020-09-01 06:54:36 UTC
Last seen:2020-09-01 08:14:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 70054f87c3cb1f16390b5a302cb9254c (1 x Phorpiex)
ssdeep 768:dleAVqLW5D77rwG8A+o9oPnhdMWy40HK0Ux7sd35:Lek6W5PpToPhdMFZ35
Threatray 8 similar samples on MalwareBazaar
TLSH 3EC2181CA2E80712F9B0C4703DB2857FD26A7EB32A6168CFF3D159421974D81F532A6E
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53814/
Detection(s):
SecuriteInfo.com.Generic.GC.Downloader.9641FC99.25077.18695.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Creating a file in the %temp% directory
Sending an HTTP GET request
Sending a custom TCP request
Deleting a recently created file
Replacing files
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating a special LNK file
Sending an HTTP GET request to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/456198
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to determine the online IP of the system
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Send many emails (e-Mail Spam)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 280481 Sample: sKu7FoPlk3.exe Startdate: 01/09/2020 Architecture: WINDOWS Score: 100 65 seuufhehfueugheh.ws 2->65 67 efeuafubeubaefuh.ws 2->67 69 311 other IPs or domains 2->69 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Multi AV Scanner detection for domain / URL 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 91 6 other signatures 2->91 10 sKu7FoPlk3.exe 2 2 2->10         started        14 svchost.exe 1 2->14         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 signatures3 89 Tries to resolve many domain names, but no domain seems valid 67->89 process4 dnsIp5 55 C:\227552843415580\svchost.exe, PE32 10->55 dropped 113 Drops PE files with benign system names 10->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->115 21 svchost.exe 4 22 10->21         started        79 tsrv2.top 127.0.0.1 unknown unknown 14->79 81 gmail.com 14->81 26 MpCmdRun.exe 17->26         started        file6 signatures7 process8 dnsIp9 71 tsrv1.ws 217.8.117.10, 49736, 49737, 49738 CREXFEXPEX-RUSSIARU Russian Federation 21->71 73 wdkowdohwodhfhfh.ws 64.70.19.203, 49739, 49740, 49741 CENTURYLINK-LEGACY-SAVVISUS United States 21->73 75 13 other IPs or domains 21->75 47 C:\Users\user\AppData\...\2805522468.exe, data 21->47 dropped 49 C:\Users\user\AppData\...\2623913682.exe, data 21->49 dropped 93 Antivirus detection for dropped file 21->93 95 Multi AV Scanner detection for dropped file 21->95 97 Changes security center settings (notifications, updates, antivirus, firewall) 21->97 101 2 other signatures 21->101 28 2805522468.exe 2 21->28         started        32 2623913682.exe 14 21->32         started        35 conhost.exe 26->35         started        file10 99 Tries to resolve many domain names, but no domain seems valid 71->99 signatures11 process12 dnsIp13 57 C:\17521862113663\svchost.exe, PE32 28->57 dropped 117 Drops PE files with benign system names 28->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->119 37 svchost.exe 14 28->37         started        59 mail.ru 32->59 61 icloud.com 32->61 63 97 other IPs or domains 32->63 file14 121 Tries to resolve many domain names, but no domain seems valid 61->121 signatures15 process16 dnsIp17 77 tsrv1.ws 37->77 51 C:\Users\user\AppData\...\3236010755.exe, data 37->51 dropped 53 C:\Users\user\AppData\...\1811619734.exe, data 37->53 dropped 103 Antivirus detection for dropped file 37->103 105 System process connects to network (likely due to code injection or exploit) 37->105 107 Multi AV Scanner detection for dropped file 37->107 109 2 other signatures 37->109 42 3236010755.exe 37->42         started        45 1811619734.exe 37->45         started        file18 signatures19 process20 signatures21 111 Contains functionality to determine the online IP of the system 42->111
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8/
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2020-09-01 02:53:40 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlfm6lhiberiz34wvanaqaf5wsl4plx3fmtyiihir3u57je5etma._file
Verdict:
malicious
Similar samples:
251960c51a68122710e9f928d7ea49ea52573f6e9af906e47ce91cfd518e39a7
Phorpiex
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
Phorpiex
ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4
Phorpiex
b901f2320a7011a69a6b7013bc99be0e904f55f1bc37b3091b014e894bc3db24
Phorpiex
cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da
Phorpiex
d03c04a685a0a4f735c0456cb4d1073792a19ea0fbf18a0c28d7b445798a4a18
Phorpiex
d073113b0667727d37e9c798f33cecf60b698e4d8c13f68ec8c6c75cd18ba7fe
Phorpiex
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
Phorpiex
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence evasion trojan
Link:
https://tria.ge/reports/200901-7gb5p8s1aa/
Behaviour
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Looks up external IP address via web service
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Windows security modification
Executes dropped EXE
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/23071/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/336680/
  
URLhaus
https://urlhaus.abuse.ch/url/347735/
  
URLhaus
https://urlhaus.abuse.ch/url/373420/
  
URLhaus
https://urlhaus.abuse.ch/url/373658/
  
URLhaus
https://urlhaus.abuse.ch/url/373730/
  
URLhaus
https://urlhaus.abuse.ch/url/399897/
  
URLhaus
https://urlhaus.abuse.ch/url/407162/
  
URLhaus
https://urlhaus.abuse.ch/url/432782/
  
URLhaus
https://urlhaus.abuse.ch/url/432795/
  
URLhaus
https://urlhaus.abuse.ch/url/432787/
Cape
Cape
https://www.capesandbox.com/analysis/53814/

Comments