MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858
SHA3-384 hash: 8add20e84434c88afbbf61ed8142d8c6581fc276cce0dff9a10fed6ce7e957aa6d7b043fd4c942e9ff3f921a4a632c5a
SHA1 hash: a8613ac0c99ea6d5073d7474b278794b50f30b24
MD5 hash: 97fdb440587ae6f237203b2e0338a550
humanhash: india-robin-robin-saturn
File name:97fdb440587ae6f237203b2e0338a550.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:78'848 bytes
First seen:2020-09-20 03:59:48 UTC
Last seen:2020-09-20 04:44:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f944c0518d3a00049e07094b78bdb20 (1 x Phorpiex)
ssdeep 768:Nl92s8vjKGxEFVz7PP/UBV7VWzFYIH4Q:bsswjK3Vz7PPXzFLY
Threatray 8 similar samples on MalwareBazaar
TLSH 5E7393F88EF578A5E02460737464A23C37CB5D2EDCA1587AE29BF54A34718C260F5E0B
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/63824/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.14421.29532.19456.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file in the %temp% directory
Sending an HTTP GET request
Deleting a recently created file
Replacing files
Launching a process
Creating a service
Launching a service
Loading a system driver
Running batch commands
Sending a UDP request
Searching for the window
Searching for many windows
DNS request
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending a TCP request to an infection source
Enabling autorun for a service
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices by creating a special LNK file
Unauthorized injection to a system process
Result
Threat name:
Phorpiex
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470730
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Phorpiex
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 287798 Sample: jHbg4HhuFN.exe Startdate: 20/09/2020 Architecture: WINDOWS Score: 100 76 worm.top 2->76 78 wduufbaueeubffgs.top 2->78 80 18 other IPs or domains 2->80 106 Multi AV Scanner detection for domain / URL 2->106 108 Antivirus detection for URL or domain 2->108 110 Antivirus detection for dropped file 2->110 114 11 other signatures 2->114 11 jHbg4HhuFN.exe 2 14 2->11         started        16 svchost.exe 1 1 2->16         started        18 svchost.exe 1 2->18         started        20 6 other processes 2->20 signatures3 112 Tries to resolve many domain names, but no domain seems valid 78->112 process4 dnsIp5 100 worm.ws 217.8.117.10, 49732, 49741, 49742 CREXFEXPEX-RUSSIARU Russian Federation 11->100 68 C:\11967249392315\svchost.exe, PE32 11->68 dropped 144 Drops PE files with benign system names 11->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->146 22 svchost.exe 4 22 11->22         started        102 127.0.0.1 unknown unknown 16->102 file6 signatures7 process8 dnsIp9 92 efeuafubeubaefur.ws 64.70.19.203, 49746, 49747, 49748 CENTURYLINK-LEGACY-SAVVISUS United States 22->92 94 wduufbaueeubffgl.to 22->94 96 35 other IPs or domains 22->96 64 C:\Users\user\AppData\...\2587915007.exe, data 22->64 dropped 66 C:\Users\user\AppData\...\1561536897.exe, data 22->66 dropped 130 Antivirus detection for dropped file 22->130 132 System process connects to network (likely due to code injection or exploit) 22->132 134 Multi AV Scanner detection for dropped file 22->134 140 3 other signatures 22->140 27 1561536897.exe 15 22->27         started        32 2587915007.exe 2 22->32         started        file10 136 Detected Stratum mining protocol 92->136 138 Tries to resolve many domain names, but no domain seems valid 94->138 signatures11 process12 dnsIp13 104 217.8.117.13, 49759, 801 CREXFEXPEX-RUSSIARU Russian Federation 27->104 70 C:\Users\user\AppData\Local\Temp\16008.exe, PE32 27->70 dropped 72 C:\Users\user\AppData\...\winsysdrv[1].exe, PE32 27->72 dropped 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->148 34 16008.exe 5 27->34         started        74 C:\219621343622429\svchost.exe, PE32 32->74 dropped 150 Drops PE files with benign system names 32->150 39 svchost.exe 14 32->39         started        file14 signatures15 process16 dnsIp17 82 worm.top 34->82 84 192.168.2.1 unknown unknown 34->84 56 C:\ProgramData\PnQssBdbSh\winsysdrv, PE32 34->56 dropped 116 Antivirus detection for dropped file 34->116 118 Multi AV Scanner detection for dropped file 34->118 120 Machine Learning detection for dropped file 34->120 128 4 other signatures 34->128 41 notepad.exe 34->41         started        45 cmd.exe 1 34->45         started        86 okdoekeoehghaoer.ws 39->86 88 worm.ws 39->88 90 9 other IPs or domains 39->90 58 C:\Users\user\AppData\...\1421121090.exe, data 39->58 dropped 60 C:\Users\user\AppData\...\1057510069.exe, data 39->60 dropped 122 System process connects to network (likely due to code injection or exploit) 39->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->124 47 1421121090.exe 39->47         started        49 1057510069.exe 39->49         started        file18 126 Tries to resolve many domain names, but no domain seems valid 86->126 signatures19 process20 dnsIp21 98 worm.ws 41->98 142 System process connects to network (likely due to code injection or exploit) 41->142 51 wscript.exe 1 45->51         started        54 conhost.exe 45->54         started        signatures22 process23 file24 62 C:\Users\user\AppData\...\ulZYCdTsml.url, MS 51->62 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858/
Threat name:
Win32.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2020-09-17 03:18:02 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
Phorpiex
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
Phorpiex
ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4
Phorpiex
b901f2320a7011a69a6b7013bc99be0e904f55f1bc37b3091b014e894bc3db24
Phorpiex
cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da
Phorpiex
d03c04a685a0a4f735c0456cb4d1073792a19ea0fbf18a0c28d7b445798a4a18
Phorpiex
d073113b0667727d37e9c798f33cecf60b698e4d8c13f68ec8c6c75cd18ba7fe
Phorpiex
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
Phorpiex
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx persistence evasion trojan
Link:
https://tria.ge/reports/200920-mbht23cwf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Drops startup file
Loads dropped DLL
Windows security modification
Drops startup file
Windows security modification
Executes dropped EXE
UPX packed file
Executes dropped EXE
UPX packed file
Windows security bypass
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/63824/
  
URLhaus
https://urlhaus.abuse.ch/url/373422/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/432795/
  
URLhaus
https://urlhaus.abuse.ch/url/23071/
  
URLhaus
https://urlhaus.abuse.ch/url/399897/
  
URLhaus
https://urlhaus.abuse.ch/url/399892/

Comments