MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
SHA3-384 hash: 4238b1f37af4cf3abdced93549099a4a5c0338038f595ff80fa08bce960bf5fa56146b0fbb28dd908bd204534c9bb7a9
SHA1 hash: ba7af266efb72f1315ea72d6d8e4038a72f28b3c
MD5 hash: be4f6cbc31702ee8269da69a6286e7a6
humanhash: sixteen-juliet-alabama-triple
File name:be4f6cbc31702ee8269da69a6286e7a6.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:47'616 bytes
First seen:2020-11-01 07:30:43 UTC
Last seen:2020-11-01 09:50:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9668b7091de4529d55cf638b279f602e (4 x Phorpiex, 1 x Smoke Loader)
ssdeep 768:TleoVfIzym9gZT7Lu3rlBJ/dReFJuBkkkk:ZzfIyDp7y3rReFkkkkk
Threatray 11 similar samples on MalwareBazaar
TLSH 7923A6EAD5016961D130C0BA7570C54B9FAF2C368E7101EFF6E8CD8A96B1843F771A1A
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81615/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.14421.26854.27574.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Searching for the window
Searching for many windows
DNS request
Sending an HTTP GET request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating a special LNK file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Phorpiex Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/517662
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 307934 Sample: 1rP65UzlyY.exe Startdate: 01/11/2020 Architecture: WINDOWS Score: 100 68 fheuhdwdzwgzdggh.top 2->68 70 feauhueudughuurh.top 2->70 72 5 other IPs or domains 2->72 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 102 13 other signatures 2->102 11 1rP65UzlyY.exe 2 16 2->11         started        16 svchost.exe 13 2->16         started        18 svchost.exe 13 2->18         started        20 13 other processes 2->20 signatures3 100 Tries to resolve many domain names, but no domain seems valid 70->100 process4 dnsIp5 82 api.wipmania.com 212.83.168.196, 49707, 49713, 49719 OnlineSASFR France 11->82 62 C:\268552122130573\svchost.exe, PE32 11->62 dropped 126 Drops PE files with benign system names 11->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->128 22 svchost.exe 4 22 11->22         started        130 System process connects to network (likely due to code injection or exploit) 16->130 84 trikhaus.top 127.0.0.1 unknown unknown 20->84 86 192.168.2.1 unknown unknown 20->86 27 MpCmdRun.exe 20->27         started        file6 132 Tries to resolve many domain names, but no domain seems valid 82->132 signatures7 process8 dnsIp9 74 worm.ws 217.8.117.10, 49714, 49715, 49718 CREXFEXPEX-RUSSIARU Russian Federation 22->74 76 wduufbaueeubffgb.to 22->76 78 39 other IPs or domains 22->78 56 C:\Users\user\AppData\...\2696629765.exe, data 22->56 dropped 58 C:\Users\user\AppData\...\1408913621.exe, data 22->58 dropped 104 Antivirus detection for dropped file 22->104 106 System process connects to network (likely due to code injection or exploit) 22->106 108 Multi AV Scanner detection for dropped file 22->108 114 3 other signatures 22->114 29 2696629765.exe 15 22->29         started        34 1408913621.exe 13 22->34         started        36 conhost.exe 27->36         started        file10 110 Detected Stratum mining protocol 74->110 112 Tries to resolve many domain names, but no domain seems valid 76->112 signatures11 process12 dnsIp13 90 worm.ws 29->90 64 C:\Users\user\AppData\Local\Temp\28245.exe, PE32 29->64 dropped 66 C:\Users\user\AppData\...\winsysdrv[1].exe, PE32 29->66 dropped 134 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->134 38 28245.exe 29->38         started        92 api.wipmania.com 34->92 file14 signatures15 process16 dnsIp17 80 worm.top 38->80 60 C:\ProgramData\PnQssBdbSh\winsysdrv, PE32 38->60 dropped 116 Multi AV Scanner detection for dropped file 38->116 118 Detected unpacking (changes PE section rights) 38->118 120 Detected unpacking (overwrites its own PE header) 38->120 122 5 other signatures 38->122 43 notepad.exe 38->43         started        47 cmd.exe 38->47         started        file18 signatures19 process20 dnsIp21 88 worm.ws 43->88 124 System process connects to network (likely due to code injection or exploit) 43->124 49 wscript.exe 47->49         started        52 conhost.exe 47->52         started        signatures22 process23 file24 54 C:\Users\user\AppData\...\ulZYCdTsml.url, MS 49->54 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6/
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2020-10-31 15:43:59 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
Phorpiex
251960c51a68122710e9f928d7ea49ea52573f6e9af906e47ce91cfd518e39a7
Phorpiex
4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
Phorpiex
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
Phorpiex
7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858
Phorpiex
ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4
Phorpiex
cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da
Phorpiex
d03c04a685a0a4f735c0456cb4d1073792a19ea0fbf18a0c28d7b445798a4a18
Phorpiex
d073113b0667727d37e9c798f33cecf60b698e4d8c13f68ec8c6c75cd18ba7fe
Phorpiex
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
Phorpiex
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/201101-fkrj631vgn/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Windows security bypass
Unpacked files
SH256 hash:
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
MD5 hash:
be4f6cbc31702ee8269da69a6286e7a6
SHA1 hash:
ba7af266efb72f1315ea72d6d8e4038a72f28b3c
Detections:
win_phorpiex_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b1de6f6-e403-4afb-a1e5-7faed2196997/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/404589/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/373422/
  
URLhaus
https://urlhaus.abuse.ch/url/621240/
  
URLhaus
https://urlhaus.abuse.ch/url/404588/
Cape
Cape
https://www.capesandbox.com/analysis/81615/

Comments