MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
SHA3-384 hash: 00aa38efbca0b4c22ddc838303a0048159758051d0533ae1a091c89b105b9202b637d31d9a2147601a3907bc8b98355e
SHA1 hash: e15fc1668ccdaf70e5831906191f611136b7ac65
MD5 hash: 92ec0ad5172f3a97d6656b70c111af98
humanhash: nine-georgia-tango-snake
File name:92ec0ad5172f3a97d6656b70c111af98.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:7'168 bytes
First seen:2021-05-24 17:54:47 UTC
Last seen:2021-05-24 18:01:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49f011abe55f432b47dd02dd98d6a2b4 (1 x Phorpiex)
ssdeep 96:KXsMZCXR3s3IH/QJs8jCGVO/ZPtboynunSkCtqQ:UsMABXfQNCGyZP1oynWS/
Threatray 3 similar samples on MalwareBazaar
TLSH 4EE1B6067A0142D2E85007F05AB2BA4F56FA5471131554EFF37FA50A6B71321F853B3A
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92ec0ad5172f3a97d6656b70c111af98.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-24 18:59:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/93375a54-28c9-4d92-8037-f31d500b88d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.39.16614.30755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Searching for many windows
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Defender launch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Phorpiex Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790718
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Found strings related to Crypto-Mining
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Uses shutdown.exe to shutdown or reboot the system
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423113 Sample: KJN55hQKh2.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 148 Multi AV Scanner detection for domain / URL 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 Antivirus detection for URL or domain 2->152 154 15 other signatures 2->154 11 KJN55hQKh2.exe 15 2->11         started        16 svchost.exe 9 1 2->16         started        18 smss.exe 14 2->18         started        20 11 other processes 2->20 process3 dnsIp4 118 vitamind.top 185.215.113.93, 49710, 49721, 49723 WHOLESALECONNECTIONSNL Portugal 11->118 100 C:\Users\user\AppData\...\1972210608.exe, PE32 11->100 dropped 102 C:\Users\user\AppData\Local\...\pepwn[1].exe, PE32 11->102 dropped 172 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->172 22 1972210608.exe 2 16 11->22         started        120 xmrupdtemall.top 127.0.0.1 unknown unknown 16->120 122 api.wipmania.com 18->122 124 api.wipmania.com 20->124 126 api.wipmania.com 20->126 27 MpCmdRun.exe 20->27         started        file5 174 Detected Stratum mining protocol 118->174 signatures6 process7 dnsIp8 112 api.wipmania.com 212.83.168.196, 49711, 49715, 49722 OnlineSASFR France 22->112 98 C:\11205161854353\smss.exe, PE32 22->98 dropped 160 Antivirus detection for dropped file 22->160 162 Multi AV Scanner detection for dropped file 22->162 164 May check the online IP address of the machine 22->164 166 3 other signatures 22->166 29 smss.exe 7 33 22->29         started        34 conhost.exe 27->34         started        file9 signatures10 process11 dnsIp12 128 gotsomefile.top 29->128 130 gimmefile.top 29->130 132 23 other IPs or domains 29->132 104 C:\Users\user\AppData\...\3842010696.exe, data 29->104 dropped 106 C:\Users\user\AppData\...\3451511268.exe, data 29->106 dropped 108 C:\Users\user\AppData\...\2392714147.exe, data 29->108 dropped 110 C:\Users\user\AppData\...\1126921873.exe, data 29->110 dropped 176 Antivirus detection for dropped file 29->176 178 Multi AV Scanner detection for dropped file 29->178 180 May check the online IP address of the machine 29->180 182 3 other signatures 29->182 36 3451511268.exe 29->36         started        40 1126921873.exe 15 29->40         started        42 2392714147.exe 13 29->42         started        45 3842010696.exe 29->45         started        file13 signatures14 process15 dnsIp16 88 C:\Users\user\AppData\...\1791918293.exe, PE32 36->88 dropped 90 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32 36->90 dropped 156 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->156 47 1791918293.exe 36->47         started        52 cmd.exe 36->52         started        92 C:\Users\user\AppData\...\2555435814.exe, PE32 40->92 dropped 94 C:\Users\user\AppData\Local\...\eth[1].exe, PE32 40->94 dropped 54 2555435814.exe 40->54         started        116 api.wipmania.com 42->116 158 May check the online IP address of the machine 42->158 file17 signatures18 process19 dnsIp20 134 xmrupdtemall.top 47->134 76 C:\ProgramData\CjtqpVHEcA\winmanager, PE32 47->76 dropped 78 C:\ProgramData\CjtqpVHEcA\r.vbs, data 47->78 dropped 136 Antivirus detection for dropped file 47->136 138 Multi AV Scanner detection for dropped file 47->138 140 Machine Learning detection for dropped file 47->140 146 4 other signatures 47->146 56 notepad.exe 47->56         started        60 cmd.exe 47->60         started        142 Uses shutdown.exe to shutdown or reboot the system 52->142 62 conhost.exe 52->62         started        64 shutdown.exe 52->64         started        80 C:\Users\user\AppData\Local\...\Process.exe, PE32 54->80 dropped 82 C:\Users\user\AppData\Local\...\Defender.exe, PE32+ 54->82 dropped 144 Detected unpacking (overwrites its own PE header) 54->144 66 cmd.exe 54->66         started        file21 signatures22 process23 dnsIp24 114 vitamind.top 56->114 168 System process connects to network (likely due to code injection or exploit) 56->168 69 wscript.exe 60->69         started        72 conhost.exe 60->72         started        84 C:\Users\user\AppData\Roaming\...\Process.exe, PE32 66->84 dropped 86 C:\Users\user\AppData\...\Defender.exe, PE32+ 66->86 dropped 170 Drops PE files to the startup folder 66->170 74 conhost.exe 66->74         started        file25 signatures26 process27 file28 96 C:\Users\user\AppData\...\gCJCBpvUDZ.url, MS 69->96 dropped
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 17:55:08 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
552ac0917f936b6075b045c778da6f150cde88ebd89c8dd98ab8d0f2bf6a9e17
Phorpiex
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
Phorpiex
ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38
Phorpiex
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex evasion loader persistence trojan worm
Link:
https://tria.ge/reports/210524-nkhk51a6me/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Phorphiex Payload
Phorphiex Worm
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/942395/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/621240/
  
URLhaus
https://urlhaus.abuse.ch/url/1187881/
  
URLhaus
https://urlhaus.abuse.ch/url/1187853/
  
URLhaus
https://urlhaus.abuse.ch/url/1187859/

Comments