MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phorpiex

Vendor detections: 20

Intelligence 20 IOCs YARA 1 File information Comments

SHA256 hash:	926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e
SHA3-384 hash:	ecc2da5f1f5180c0d208327bd068864ef0c498adc5a27a4bfb4e2b8b11caf9a95ffeb5982a6038554e82f580929b4b23
SHA1 hash:	7a76e9b5300ecd6b4f81a168880e31e1994d3ec5
MD5 hash:	e15920e4e4d968e5372e0c33d98e9bb6
humanhash:	wisconsin-carbon-april-east
File name:	file
Download:	download sample
Signature	Phorpiex Create hunting rule
File size:	88'064 bytes
First seen:	2025-10-27 14:12:14 UTC
Last seen:	2025-11-04 15:31:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cd8f53456e8eab6877bd6db17a9de950 (1 x Phorpiex)
ssdeep	1536:0wAxGlNFmav82iG/78+E+Tsvg49hICuFC2lnwq:rAoQOB/78+Nq9/ICwC2Zwq
Threatray	198 similar samples on MalwareBazaar
TLSH	T13C833901F5D0A07BF9FA41FBD2F24E69582CBFB4134948E39290655B97246EABC3502B
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10522/11/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-phorpiex exe Phorpiex

Bitsight

url: http://178.16.54.109/newtpp.exe

Intelligence

File Origin

# of uploads :

291

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

phorpiex

ID:

File name:

421325272894fb090b5eeb5a367612a86d44ff7ef8a5a2255441b97066ec7f23.exe

Verdict:

Malicious activity

Analysis date:

2025-10-15 02:20:34 UTC

Tags:

botnet phorpiex loader

Link:

https://app.any.run/tasks/821324e3-fab2-4b83-abef-26c04f903358

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Phorpiex

Link:

https://www.capesandbox.com/analysis/34293/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ff7ded5de5ca270752d492

Tags:

downloader phorpiex dropper remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the Windows directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the %temp% directory

DNS request

Connection attempt

Changing an executable file

Creating a window

Sending a UDP request

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Creating a file in the mass storage device

Sending an HTTP GET request to an infection source

Infecting executable files

Enabling threat expansion on mass storage devices

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto explorer fingerprint lolbin microsoft_visual_cc phorpiex

Link:

https://www.filescan.io/uploads/68ff7dea11ff3db29f692cc7/reports/56c28583-f210-487d-87af-684ad3981231/overview

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-12T22:53:00Z UTC

Last seen:

2025-10-29T12:21:00Z UTC

Hits:

~10000

Detections:

Trojan-Dropper.Win32.Dorifel.sbc Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Zonidel.sb HEUR:Virus.Win32.Zeropi.gen HEUR:Trojan-Downloader.Win32.Agent.gen HEUR:Trojan-Banker.Win32.Phorpiex.gen Trojan.Win32.Patched.rw Trojan.Win32.Agent.sb HEUR:Worm.Win32.Generic HEUR:Trojan.Win32.Agent.gen HEUR:Trojan.Win32.Generic BSS:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e/results?tab=lookup

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c277788-43dd-4bc9-b978-1c12db1d642f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/e15920e4e4d968e5372e0c33d98e9bb6

Detection:

phorpiex

Link:

https://mwdb.cert.pl/sample/926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2025-10-13 06:22:13 UTC

File Type:

PE (Exe)

AV detection:

31 of 38 (81.58%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjxhux6c34kcqdo3t6wsu2r2qea4iasmxtqsr6p6vsypbqpca4ha._file

Verdict:

malicious

Label(s):

phorpiex

unc_loader_055

knotransomware

Phorpiex

586a29bab56e5d7be8b7a783256b0458a4eca167c7d519fdbc8467ba2331e7e8

Phorpiex

691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b

Phorpiex

8ac7bf6ead6c0068502f6473f7377239cdc44c6af728d5952500b8d5ae0ff157

Phorpiex

b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076

Phorpiex

d17fbdccb55a602246b26034b6ce9d64ae1c3b5ad48fd93a732d2fb1dd8de6df

Phorpiex

d8d4c136068c9c5aad47a796b1e5f075bae4ded6c9e547ddba00ca9e112cb279

Phorpiex

e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16

Phorpiex

+ 188 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:phorphiex family:xmrig defense_evasion discovery execution loader miner persistence spyware stealer trojan worm

Link:

https://tria.ge/reports/251027-rjbm5sxngw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Launches sc.exe

Suspicious use of SetThreadContext

Adds Run key to start application

Creates new service(s)

Executes dropped EXE

Reads user/profile data of web browsers

Stops running service(s)

Downloads MZ/PE file

XMRig Miner payload

Phorphiex family

Phorphiex payload

Phorphiex, Phorpiex

Xmrig family

xmrig

Malware Config

C2 Extraction:

http://178.16.54.109/
http://176.46.158.64/
http://178.16.54.109
178.16.54.109

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5159e691-bab9-4f98-91ca-1a154a085b1c

Unpacked files

SH256 hash:

926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e

MD5 hash:

e15920e4e4d968e5372e0c33d98e9bb6

SHA1 hash:

7a76e9b5300ecd6b4f81a168880e31e1994d3ec5

Link:

https://www.unpac.me/results/2043a63a-18c2-448a-998c-ea823ee042a6/

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/926e7a5fc2df/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Phorpiex

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.