MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750
SHA3-384 hash: 0aff5fdecef6d63b24bf419866400ce108b3cc7e91f0e27e707843bfeb0d791f30e7f13f68847b826012bc6ba4649273
SHA1 hash: a8c770f72be83b598d58c430e4ab5490298f0a79
MD5 hash: 0742732897c751326aac7d74488b1727
humanhash: lithium-football-colorado-iowa
File name:random.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:6'525'440 bytes
First seen:2025-05-04 17:43:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 196608:PjxJ7W10vdAfJyw1kRaht2fvIEepU6rYavCwFEAQwj6C:PVyJAw1BhaeU+fWC
Threatray 1 similar samples on MalwareBazaar
TLSH T13E66330F6DE94507E469A7F016F322C342B27039A97A9616B3F34E0F40B5695B134BBB
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-04 19:16:49 UTC
Tags:
lumma stealer amadey botnet loader
Link:
https://app.any.run/tasks/56f9860e-af59-466f-a497-67c6da4fa10a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-10009296-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6817a939432e243ac3e400bf
Tags:
enigmaprotector vmdetect phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Running batch commands
Searching for analyzing tools
Launching a process
Launching a service
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB crypt explorer installer installer lolbin microsoft_visual_cc packed packed packer_detected rundll32 runonce sfx xpack
Link:
https://www.filescan.io/uploads/6817a77d0b64e174c416d896/reports/02ef2ca6-608a-46e7-80f3-a795d9911e36/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750
Malware family:
NirSoft
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/39e0d522-a777-4233-9e83-681dd11484e2
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1680933
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1680933 Sample: random.exe Startdate: 04/05/2025 Architecture: WINDOWS Score: 100 70 185.156.72.96 ITDELUXE-ASRU Russian Federation 2->70 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Antivirus detection for dropped file 2->86 88 14 other signatures 2->88 12 random.exe 1 4 2->12         started        15 ramez.exe 2->15         started        18 svchost.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 file5 66 C:\Users\user\AppData\Local\...behaviorgraph7X19.exe, PE32 12->66 dropped 68 C:\Users\user\AppData\Local\...\3v37i.exe, PE32 12->68 dropped 22 G7X19.exe 1 4 12->22         started        106 Contains functionality to start a terminal service 15->106 108 Hides threads from debuggers 15->108 110 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->110 112 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->112 114 Changes security center settings (notifications, updates, antivirus, firewall) 18->114 signatures6 process7 file8 52 C:\Users\user\AppData\Local\...\2A9614.exe, PE32 22->52 dropped 54 C:\Users\user\AppData\Local\...\1g65d0.exe, PE32 22->54 dropped 92 Antivirus detection for dropped file 22->92 94 Multi AV Scanner detection for dropped file 22->94 26 2A9614.exe 4 22->26         started        30 1g65d0.exe 1 16 22->30         started        signatures9 process10 file11 56 C:\Users\user\AppData\Local\...\ramez.exe, PE32 26->56 dropped 96 Antivirus detection for dropped file 26->96 98 Multi AV Scanner detection for dropped file 26->98 100 Detected unpacking (changes PE section rights) 26->100 104 8 other signatures 26->104 32 ramez.exe 26->32         started        58 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 30->58 dropped 60 C:\Users\user\AppData\Local\...\cecho.exe, PE32 30->60 dropped 62 C:\Users\user\AppData\Local\...62SudoLG.exe, PE32+ 30->62 dropped 64 2 other malicious files 30->64 dropped 102 Contains functionality to detect sleep reduction / modifications 30->102 35 cmd.exe 1 30->35         started        signatures12 process13 signatures14 72 Antivirus detection for dropped file 32->72 74 Multi AV Scanner detection for dropped file 32->74 76 Detected unpacking (changes PE section rights) 32->76 80 7 other signatures 32->80 78 Uses cmd line tools excessively to alter registry or file data 35->78 37 cmd.exe 1 35->37         started        40 conhost.exe 35->40         started        process15 signatures16 90 Uses cmd line tools excessively to alter registry or file data 37->90 42 cmd.exe 37->42         started        44 conhost.exe 37->44         started        46 NSudoLG.exe 37->46         started        48 25 other processes 37->48 process17 process18 50 tasklist.exe 42->50         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750/
Threat name:
Win32.Trojan.Crifi
Create hunting rule
Status:
Malicious
First seen:
2025-05-04 07:26:07 UTC
File Type:
PE (Exe)
Extracted files:
130
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqeyw3qy7ea7xhy5bj5ozqcwyna2fswh6nmmfllcymkpr2nve5ia._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
admintool_nsudo
Create hunting rule
Similar samples:
error
Phorpiex
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:lumma family:phorphiex botnet:8d33eb credential_access defense_evasion discovery dropper execution loader persistence stealer trojan worm
Link:
https://tria.ge/reports/250504-wbdjzsx1g1/
Behaviour
Checks processor information in registry
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
Disables service(s)
Healer
Healer family
Lumma Stealer, LummaC
Lumma family
Modifies security service
Phorphiex family
Phorphiex payload
Phorphiex, Phorpiex
Malware Config
C2 Extraction:
http://185.156.72.96
https://orjinalecza.net/lxaz
https://eczakozmetik.net/qop
https://orijinalecza.org/jub
https://tortoisgfe.top/paxk
https://eczamedikal.org/vax
https://orijinalecza.net/kazd
https://medicalbitkisel.net/juj
https://snakejh.top/adsk
https://vecturar.top/zsia
Dropper Extraction:
http://80.64.18.219/testmine/random.exe
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Disabler-10009296-0 stealc
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/13d69059-a0b6-4ac6-8344-d458231612a3
Unpacked files
SH256 hash:
e269cea618b31d4711693e2d57ab7bbf94c7b677c04bb1d1206a01b467c33746
MD5 hash:
0fe957f2023608ebb82c5162d87f463a
SHA1 hash:
18dabb2eb064a3b61254a2b798862fd01b14e949
Link:
https://www.unpac.me/results/c9513544-a04a-4792-9635-daf5505000e8/
SH256 hash:
f599b418936d44533ada98ef6b22f0ef43f38cb5aa20efd5add563337f2f2096
MD5 hash:
53ebcc149841058710fc4a90a9f854a4
SHA1 hash:
bd0208717cf8d4b718c58daa09b0bfbad7a2b3a5
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/c9513544-a04a-4792-9635-daf5505000e8/
SH256 hash:
e6718c5ce4a1d213c4a085d929a99c1d3de3ad41bf97c79f48e25d2f44ec3caf
MD5 hash:
073ac2f1e3a7a648102f2011711867c8
SHA1 hash:
1c4e006fbdec9cfd2d696ab5d28e897a0934aae3
Link:
https://www.unpac.me/results/c9513544-a04a-4792-9635-daf5505000e8/
SH256 hash:
f1852105289d1edacdae52698d1c3a6b8e30d022d5fceac6e3bf1beb821a38ee
MD5 hash:
4590e0d810a88637a3d7731afc236b82
SHA1 hash:
fea81be3f13551add44a1e9a50c139b7fbeff820
Link:
https://www.unpac.me/results/c9513544-a04a-4792-9635-daf5505000e8/
SH256 hash:
18cca1b2fb73aab59c6d280c6226aa29082706f2ee8fe26bd9327a30197e0d44
MD5 hash:
434f9f760f3b7e44e6a15eb68c867882
SHA1 hash:
8f95406c8e88493cae143df5649424027a35a774
Link:
https://www.unpac.me/results/c9513544-a04a-4792-9635-daf5505000e8/
SH256 hash:
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567
MD5 hash:
426ccb645e50a3143811cfa0e42e2ba6
SHA1 hash:
3c17e212a5fdf25847bc895460f55819bf48b11d
Link:
https://www.unpac.me/results/c9513544-a04a-4792-9635-daf5505000e8/
SH256 hash:
8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750
MD5 hash:
0742732897c751326aac7d74488b1727
SHA1 hash:
a8c770f72be83b598d58c430e4ab5490298f0a79
Link:
https://www.unpac.me/results/c9513544-a04a-4792-9635-daf5505000e8/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c098b6e18f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe 8c098b6e18f901fb9f1d0a7aecc056c341a2cac7f358c2ad62c314f8e9b52750

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3533504/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments