MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA3-384 hash: 3d8ffded3e1b8e07ecf23af8e50d2579d08947b19ce91634fed6452667188752bbdd6f4cdc7b16943001b57022ab52f9
SHA1 hash: b64fa8dded031d5dacac519a2035cefcd05e6503
MD5 hash: 209baf40779b80d5e443c3dbbd656bfb
humanhash: earth-avocado-mirror-friend
File name:209baf40779b80d5e443c3dbbd656bfb.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:77'312 bytes
First seen:2022-08-11 06:25:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f2316fb946682a102e453a8ae405904 (5 x Phorpiex)
ssdeep 1536:E3Mz8Guoo90MXrtvWhzNmgrZBVnWw7V15FK9:fwGuPXpOh5mgrVnj7V15FK
Threatray 2'418 similar samples on MalwareBazaar
TLSH T1C3733910F6D0C03AF0F740FBD2FB05AA592CAFB4534698E712D9A89F5B215D1B9364A3
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
636
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
209baf40779b80d5e443c3dbbd656bfb.exe
Verdict:
Malicious activity
Analysis date:
2022-08-11 06:29:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b722ff35-57df-4a46-baef-9168fc2fd79f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297859/
Detection(s):
Win.Malware.Phorpiex-9938809-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for many windows
Creating a window
Creating a file in the %temp% directory
DNS request
Sending a UDP request
Deleting a recently created file
Replacing files
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28633/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/62f4a174e4e65a67c49e193b/reports/3a8199bb-7c97-4e19-b78c-a80da8c6a9ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/328e54e0-5bbe-4aae-80ca-80b2c72544c9
Result
Threat name:
BitCoin Miner, Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1049748
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682242 Sample: GitmEGG60Q.exe Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 103 Sigma detected: Xmrig 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 10 other signatures 2->109 14 GitmEGG60Q.exe 1 1 2->14         started        18 wincsvns.exe 2->18         started        20 wklopsvcs.exe 2->20         started        process3 file4 87 C:\Windows\wklopsvcs.exe, PE32 14->87 dropped 151 Found evasive API chain (may stop execution after checking mutex) 14->151 153 Contains functionality to check if Internet connection is working 14->153 155 Drops executables to the windows directory (C:\Windows) and starts them 14->155 163 2 other signatures 14->163 22 wklopsvcs.exe 8 19 14->22         started        157 Antivirus detection for dropped file 18->157 159 Multi AV Scanner detection for dropped file 18->159 161 Writes to foreign memory regions 18->161 165 2 other signatures 18->165 27 conhost.exe 2 18->27         started        signatures5 process6 dnsIp7 91 185.215.113.84, 49761, 49762, 49764 WHOLESALECONNECTIONSNL Portugal 22->91 93 45.159.251.68, 40500 VMAGE-ASRU Russian Federation 22->93 95 25 other IPs or domains 22->95 79 C:\Users\user\AppData\Local\...\272401063.exe, PE32 22->79 dropped 81 C:\Users\user\AppData\...\2040628210.exe, PE32 22->81 dropped 135 Antivirus detection for dropped file 22->135 137 Multi AV Scanner detection for dropped file 22->137 139 Found evasive API chain (may stop execution after checking mutex) 22->139 141 5 other signatures 22->141 29 2040628210.exe 14 22->29         started        33 272401063.exe 1 22->33         started        35 cmd.exe 1 27->35         started        37 svchost.exe 27->37         started        file8 signatures9 process10 file11 83 C:\Users\user\AppData\...\1675122967.exe, PE32+ 29->83 dropped 85 C:\Users\user\AppData\...\xmrminer[1].exe, PE32+ 29->85 dropped 143 Antivirus detection for dropped file 29->143 145 Multi AV Scanner detection for dropped file 29->145 147 Machine Learning detection for dropped file 29->147 149 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->149 39 1675122967.exe 29->39         started        42 taskkill.exe 1 35->42         started        44 conhost.exe 35->44         started        signatures12 process13 signatures14 121 Antivirus detection for dropped file 39->121 123 Multi AV Scanner detection for dropped file 39->123 125 Writes to foreign memory regions 39->125 127 2 other signatures 39->127 46 conhost.exe 4 39->46         started        process15 file16 89 C:\Users\user\wincsvns.exe, PE32+ 46->89 dropped 167 Drops PE files to the user root directory 46->167 50 cmd.exe 1 46->50         started        52 cmd.exe 1 46->52         started        signatures17 process18 signatures19 55 wincsvns.exe 50->55         started        58 conhost.exe 50->58         started        111 Uses schtasks.exe or at.exe to add and modify task schedules 52->111 60 conhost.exe 52->60         started        62 schtasks.exe 1 52->62         started        process20 signatures21 129 Writes to foreign memory regions 55->129 131 Allocates memory in foreign processes 55->131 133 Creates a thread in another existing process (thread injection) 55->133 64 conhost.exe 6 55->64         started        process22 file23 75 C:\Users\user\AppData\...\sihost64.exe, PE32+ 64->75 dropped 77 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 64->77 dropped 97 Writes to foreign memory regions 64->97 99 Sample is not signed and drops a device driver 64->99 101 Injects a PE file into a foreign processes 64->101 68 sihost64.exe 64->68         started        71 svchost.exe 64->71         started        signatures24 process25 signatures26 113 Antivirus detection for dropped file 68->113 115 Multi AV Scanner detection for dropped file 68->115 117 Writes to foreign memory regions 68->117 119 2 other signatures 68->119 73 conhost.exe 2 68->73         started        process27
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2022-08-11 06:26:09 UTC
File Type:
PE (Exe)
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbxgn74sto33m35dupol6evsuoied3axidgv65enizzl6bww3noq._file
Verdict:
malicious
Similar samples:
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
Phorpiex
4d1561d0305e150e1a74ef02c3c20b550cbd7e68ad3dc8e237f40b3b71e9c29e
Phorpiex
529043b5fcef43623835319764499b2a4ddbae2477697f22aada0e09352b83c5
Phorpiex
6162852486198185cf0b5444b6a9ee3748e403ac482bda81abf70d783dc2ccff
Phorpiex
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
Phorpiex
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
Phorpiex
bc12a6b4163adef9b218e107ebf1afae1e4daac171a9f8c6692d9943a214e808
Phorpiex
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
Phorpiex
c9ceaa34d8c1644a6e7c885badc37e689f69329e757acde1620133fef8367061
Phorpiex
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
Phorpiex
+ 2'408 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex evasion loader persistence trojan worm
Link:
https://tria.ge/reports/220811-g67c8aead3/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Phorphiex
Windows security bypass
Malware Config
C2 Extraction:
http://185.215.113.84/twizt/
Unpacked files
SH256 hash:
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
MD5 hash:
209baf40779b80d5e443c3dbbd656bfb
SHA1 hash:
b64fa8dded031d5dacac519a2035cefcd05e6503
Link:
https://www.unpac.me/results/6408abe3-8e8b-4ad1-b4a4-f8711da711c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c86e66ff929b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2001824/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2001823/
Cape
Cape
https://www.capesandbox.com/analysis/297859/

Comments