MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ac6aabe5f916e190055913ff7b161356c5b4e5e3d99b5036cf3675751bc765a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phorpiex

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments 1

SHA256 hash:	9ac6aabe5f916e190055913ff7b161356c5b4e5e3d99b5036cf3675751bc765a
SHA3-384 hash:	fdc84b01be27a4f2edd590adf8470450864da51d4f91b5a65eda4b0d68f5a7aed9f620f62dcd56db90dcb53cc8087707
SHA1 hash:	2bb54d7c37a796510acf1fe726f0dc3d268da757
MD5 hash:	ade751cefdaa9e5295855f4e2c3f0e19
humanhash:	washington-utah-double-jupiter
File name:	ade751cefdaa9e5295855f4e2c3f0e19
Download:	download sample
Signature	Phorpiex Create hunting rule
File size:	80'896 bytes
First seen:	2022-01-24 04:36:27 UTC
Last seen:	2022-01-24 07:04:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	13d4ecb21ffd4b77a0608840e931a3df (2 x CoinMiner, 1 x CoinMiner.XMRig, 1 x Phorpiex)
ssdeep	1536:Ya3Mz8pizwqaegEQoife6/+sxJLogMau5FCF96:YhwyQz26WsA35FM6
Threatray	11 similar samples on MalwareBazaar
TLSH	T1B2834A00F6D2C23AF4FB44FFD6FB14AE652CAFB1334568D72384654B5A225D0AA31467
Reporter	zbetcheckin
Tags:	32 exe Phorpiex

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/221793/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.3091.25729.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the Windows directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

DNS request

Searching for many windows

Creating a window

Sending a UDP request

Sending a custom TCP request

Creating a file

Creating a file in the %temp% directory

Deleting a recently created file

Replacing files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Blocking the Windows Security Center notifications

Creating a file in the mass storage device

Enabling threat expansion on mass storage devices

Sending an HTTP GET request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/61ee2cf2d32385db6325f51c/reports/1a5e5301-d238-4322-9528-0569c3ed5780/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1bb56af5-ba61-492b-8eaa-cae1d805579c

Result

Threat name:

Phorpiex

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/926005

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to check if Internet connection is working

Contains functionality to detect sleep reduction / modifications

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Phorpiex

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ac6aabe5f916e190055913ff7b161356c5b4e5e3d99b5036cf3675751bc765a/

Threat name:

Win32.Trojan.FWDisable

Status:

Malicious

First seen:

2022-01-18 06:58:41 UTC

File Type:

PE (Exe)

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Verdict:

malicious

Phorpiex

48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2

Phorpiex

555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99

Phorpiex

ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800

Phorpiex

+ 1 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence trojan

Link:

https://tria.ge/reports/220124-e8ttsscbcl/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Adds Run key to start application

Windows security modification

Executes dropped EXE

Windows security bypass

Unpacked files

SH256 hash:

9ac6aabe5f916e190055913ff7b161356c5b4e5e3d99b5036cf3675751bc765a

MD5 hash:

ade751cefdaa9e5295855f4e2c3f0e19

SHA1 hash:

2bb54d7c37a796510acf1fe726f0dc3d268da757

Link:

https://www.unpac.me/results/fcbc9035-c74a-4405-8016-73f3ab989ea1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9ac6aabe5f91/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ac6aabe5f916e190055913ff7b161356c5b4e5e3d99b5036cf3675751bc765a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.