MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Phorpiex
Vendor detections: 19
| SHA256 hash: | 794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979 |
|---|---|
| SHA3-384 hash: | 03e4c8e70cac46486567c40af8ed31fbee4ba8b54a3f73c84cce793f69ab454a4dae2df8ed4b88f70a40688a4ed44e9c |
| SHA1 hash: | 0b390cd5a44a64296b592360b6b74ac66fb26026 |
| MD5 hash: | a775d164cf76e9a9ff6afd7eb1e3ab2e |
| humanhash: | mars-maryland-princess-hydrogen |
| File name: | SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434 |
| Download: | download sample |
| Signature | Phorpiex |
| File size: | 86'528 bytes |
| First seen: | 2024-09-22 22:20:18 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 72db0c0dfd8f33f8e37f43333e8c1643 (2 x Phorpiex) |
| ssdeep | 1536:5Ei+lO/FmavM28kR1hDzc3zcq1ZI9PiDQIyQaQG9JXVfKo:WTlROxNs3zLjI4t3UXVfKo |
| Threatray | 60 similar samples on MalwareBazaar |
| TLSH | T1CB833900F6D0913AF8F641FB92FB5A69582CFFB4630544E75390A4AB9B206E9FD31127 |
| TrID | 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| Reporter |  SecuriteInfoCom |
| Tags: | exe Phorpiex |
Intelligence
File Origin
# of uploads :
1
# of downloads :
389
Origin country :
FRVendor Threat Intelligence
Malware family:
phorpiex
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434
Verdict:
Malicious activity
Analysis date:
2024-09-22 22:21:53 UTC
Tags:
phorpiex
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
Execution Generic Infostealer Network Stealth Trojan Heur Phorpiex Mint Spam
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
crypto evasive fingerprint lolbin microsoft_visual_cc shell32
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Verdict:
Malicious
Result
Threat name:
Phorpiex
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop multiple services
Stops critical windows services
Suricata IDS alerts for network traffic
Yara detected Phorpiex
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Detection:
phorpiex
Threat name:
Win32.Trojan.MintZard
Status:
Malicious
First seen:
2024-09-22 00:15:19 UTC
File Type:
PE (Exe)
AV detection:
29 of 38 (76.32%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
phorpiex_tldr
phorpiex
Similar samples:
+ 50 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Score:
10/10
Tags:
family:phorphiex discovery evasion execution loader persistence trojan worm
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Windows security modification
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Modifies security service
Phorphiex payload
Phorphiex, Phorpiex
Windows security bypass
Malware Config
C2 Extraction:
http://185.215.113.66/
http://91.202.233.141/
http://91.202.233.141/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979
MD5 hash:
a775d164cf76e9a9ff6afd7eb1e3ab2e
SHA1 hash:
0b390cd5a44a64296b592360b6b74ac66fb26026
Detections:
phorphiex
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Detect_APT29_WINELOADER_Backdoor |
|---|---|
| Author: | daniyyell |
| Description: | Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends |
| Reference: | https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties |
| Rule name: | Disable_Defender |
|---|---|
| Author: | iam-py-test |
| Description: | Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteW |
| URL_MONIKERS_API | Can Download & Execute components | urlmon.dll::URLDownloadToFileW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW WININET.dll::InternetCloseHandle KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetDiskFreeSpaceExW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileExW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::QueryDosDeviceW |
| WIN_CRYPT_API | Uses Windows Crypt API | ADVAPI32.dll::CryptAcquireContextW ADVAPI32.dll::CryptGenRandom |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW ADVAPI32.dll::RegSetValueExA |
| WIN_SOCK_API | Uses Network to send and receive data | WS2_32.dll::WSACloseEvent WS2_32.dll::WSACreateEvent WS2_32.dll::WSAEnumNetworkEvents WS2_32.dll::WSAEventSelect WS2_32.dll::WSAGetOverlappedResult WS2_32.dll::WSARecv |
| WIN_USER_API | Performs GUI Actions | USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.