MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50fcdf33b27a9bc36765e7b5a2650678f0f0ef15d6410054f89fb63605f849e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50fcdf33b27a9bc36765e7b5a2650678f0f0ef15d6410054f89fb63605f849e5
SHA3-384 hash: c98723fd704e78264b6bc72b10cd5b967e5f9567b41c7b46b24c81891a259eeea66ebf187443a8da0380da933bf1c405
SHA1 hash: 8772291dc3edfe84dffad71af33d48e853e10b08
MD5 hash: 461f422870426748cc3e24111532472b
humanhash: spaghetti-utah-echo-queen
File name:461f422870426748cc3e24111532472b.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:16'896 bytes
First seen:2023-01-22 17:28:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9433b671ca36c1f732e87d57dc242bf5 (1 x Phorpiex)
ssdeep 384:T1CfH3216i7jToD/vWoveM87zaL5j8J9OxX:UH3gFcD/vba7zH3OJ
Threatray 353 similar samples on MalwareBazaar
TLSH T1F0729D1ED9020126F1941871239D3E5C9BBE4933629251FFEF2590417E983A478A3BFB
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 92b2f0aaeef2727a (1 x Phorpiex, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
461f422870426748cc3e24111532472b.exe
Verdict:
Malicious activity
Analysis date:
2023-01-22 17:33:06 UTC
Tags:
loader trojan phorpiex
Link:
https://app.any.run/tasks/f78e623c-87c2-439d-9fe1-eccd162ba708

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355669/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a window
DNS request
Sending a UDP request
Creating a file
Sending a custom TCP request
Changing an executable file
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62298/overview
Behaviour
MalwareBazaar
SystemUptime
CallSleep
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult emotet greyware obfuscated packed
Link:
https://www.filescan.io/uploads/63cd725e2d4f6d560e225c81/reports/58d5b46d-b559-4afb-9257-2376f1aa43f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fac17e57-126b-4f1f-9187-656de7d170ef
Result
Threat name:
Phorpiex, RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156576
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide a thread from the debugger
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Phorpiex
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789307 Sample: bN2hakskfs.exe Startdate: 22/01/2023 Architecture: WINDOWS Score: 100 109 Snort IDS alert for network traffic 2->109 111 Antivirus detection for URL or domain 2->111 113 Antivirus detection for dropped file 2->113 115 13 other signatures 2->115 10 bN2hakskfs.exe 17 2->10         started        15 winsvrupd.exe 2->15         started        17 powershell.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 105 twizt.org 185.215.113.84, 49695, 49707, 49716 WHOLESALECONNECTIONSNL Portugal 10->105 81 C:\Users\user\AppData\Local\...\200046076.scr, PE32 10->81 dropped 83 C:\Users\user\AppData\Local\...\tpp[1].exe, PE32 10->83 dropped 147 Drops PE files with a suspicious file extension 10->147 149 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->149 21 200046076.scr 1 1 10->21         started        85 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 15->85 dropped 87 C:\Users\user\AppData\Local\...\mpnsrsgv.tmp, PE32+ 15->87 dropped 151 Writes to foreign memory regions 15->151 153 Modifies the context of a thread in another process (thread injection) 15->153 155 Maps a DLL or memory area into another process 15->155 157 Sample is not signed and drops a device driver 15->157 25 cmd.exe 15->25         started        159 Uses schtasks.exe or at.exe to add and modify task schedules 17->159 27 conhost.exe 17->27         started        29 WerFault.exe 19->29         started        31 conhost.exe 19->31         started        33 schtasks.exe 19->33         started        35 3 other processes 19->35 file5 161 Detected Stratum mining protocol 105->161 signatures6 process7 file8 67 C:\Windows\syswsvdrv.exe, PE32 21->67 dropped 129 Antivirus detection for dropped file 21->129 131 Multi AV Scanner detection for dropped file 21->131 133 Found evasive API chain (may stop execution after checking mutex) 21->133 137 5 other signatures 21->137 37 syswsvdrv.exe 7 29 21->37         started        135 Query firmware table information (likely to detect VMs) 25->135 signatures9 process10 dnsIp11 99 185.215.113.66, 49697, 49698, 49700 WHOLESALECONNECTIONSNL Portugal 37->99 101 95.159.48.52, 40500 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 37->101 103 3 other IPs or domains 37->103 69 C:\Users\user\AppData\Local\...\968231271.exe, PE32 37->69 dropped 71 C:\Users\user\AppData\...\3039025086.exe, PE32 37->71 dropped 73 C:\Users\user\AppData\Local\...\201820891.exe, PE32 37->73 dropped 75 3 other malicious files 37->75 dropped 139 Antivirus detection for dropped file 37->139 141 Multi AV Scanner detection for dropped file 37->141 143 Found evasive API chain (may stop execution after checking mutex) 37->143 145 5 other signatures 37->145 42 3039025086.exe 1 37->42         started        47 968231271.exe 15 37->47         started        49 201820891.exe 14 37->49         started        51 139866423.exe 1 37->51         started        file12 signatures13 process14 dnsIp15 107 179.43.175.195, 49704, 49709, 80 PLI-ASCH Panama 42->107 89 C:\Users\user\AppData\...\nsis_uns3a7eab.dll, PE32+ 42->89 dropped 163 Query firmware table information (likely to detect VMs) 42->163 165 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 42->165 167 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 42->167 177 9 other signatures 42->177 53 rundll32.exe 42->53         started        91 C:\Users\user\AppData\...\2064814352.exe, PE32+ 47->91 dropped 93 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32+ 47->93 dropped 169 Antivirus detection for dropped file 47->169 171 Multi AV Scanner detection for dropped file 47->171 173 Machine Learning detection for dropped file 47->173 56 2064814352.exe 47->56         started        95 C:\Users\...\Windows Security Updates.exe, PE32 49->95 dropped 97 C:\Users\user\AppData\Local\...\pinf[1].exe, PE32 49->97 dropped 175 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->175 59 Windows Security Updates.exe 1 49->59         started        61 Windows Security Updates.exe 49->61         started        63 Windows Security Updates.exe 49->63         started        file16 signatures17 process18 file19 117 System process connects to network (likely due to code injection or exploit) 53->117 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 53->119 121 Tries to steal Mail credentials (via file / registry access) 53->121 127 2 other signatures 53->127 65 WerFault.exe 53->65         started        77 C:\Users\user\...\winsvrupd.exe, PE32+ 56->77 dropped 123 Antivirus detection for dropped file 56->123 125 Multi AV Scanner detection for dropped file 56->125 79 C:\ProgramData\Adobe\Setup\...\setup.exe, PE32 59->79 dropped signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50fcdf33b27a9bc36765e7b5a2650678f0f0ef15d6410054f89fb63605f849e5/
Threat name:
Win32.Ransomware.MintZard
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 23:45:36 UTC
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kd6n6m5spkn4gz3f4622ezigpdypb3yv2zaqavhyt63dmbpyjhsq._file
Verdict:
malicious
Similar samples:
2be47a55c0d9a863fb620ba88c0c276c2f97fa775eaa435c20d8065af267784e
Phorpiex
78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef
Phorpiex
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
Phorpiex
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
Phorpiex
b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956
Phorpiex
ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
Phorpiex
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
Phorpiex
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
Phorpiex
fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595
Phorpiex
+ 343 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex evasion loader persistence spyware stealer trojan worm
Link:
https://tria.ge/reports/230122-v2jy1sgg24/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Phorphiex
Windows security bypass
Malware Config
C2 Extraction:
http://185.215.113.66/
Unpacked files
SH256 hash:
50fcdf33b27a9bc36765e7b5a2650678f0f0ef15d6410054f89fb63605f849e5
MD5 hash:
461f422870426748cc3e24111532472b
SHA1 hash:
8772291dc3edfe84dffad71af33d48e853e10b08
Link:
https://www.unpac.me/results/ad6028c5-a4ef-4347-b5b7-bd660ae5672c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50fcdf33b27a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/50fcdf33b27a9bc36765e7b5a2650678f0f0ef15d6410054f89fb63605f849e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 50fcdf33b27a9bc36765e7b5a2650678f0f0ef15d6410054f89fb63605f849e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272063/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1960874/
  
URLhaus
https://urlhaus.abuse.ch/url/2274787/
Cape
Cape
https://www.capesandbox.com/analysis/355669/

Comments