MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da
SHA3-384 hash: 300543f21d1e18831e85da7a969c0d3a7a0755b13ee0c8bb15c1243ab5d39a6dfaddc46b5d81c828a793f40afb56e76c
SHA1 hash: ca578f79ed20ec2b6a9fb77dbfce76f49a3ed400
MD5 hash: 354bb8a5ccd3d21cdecdf379bb2be20f
humanhash: mike-massachusetts-pip-july
File name:SecuriteInfo.com.Win32.DH_YQkDRA.5848.32110
Download: download sample
Signature Phorpiex
Create hunting rule
File size:27'952 bytes
First seen:2020-07-22 21:54:53 UTC
Last seen:2020-08-02 07:33:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 30c7d3b737dc53930291efae2fad5224 (1 x Phorpiex)
ssdeep 768:AfbH3PQOh2cZO0UN7j3annnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn:Af73PQOh2ga3annnnnnnnnnnnnnnnnnn
Threatray 318 similar samples on MalwareBazaar
TLSH B3C2F5E257DCA9C2D8FF04789E2AB81DDE9E176B3543C8476362A4AD58F23424012DDF
Reporter SecuriteInfoCom
Tags:Phorpiex

Intelligence

File Origin
# of uploads :
3
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31368/
Detection(s):
SecuriteInfo.com.Win32.DH_YQkDRA.5848.32110.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating a special LNK file
Sending an HTTP GET request to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/395438
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249935 Sample: SecuriteInfo.com.Win32.DH_Y... Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 66 ufhuehfuigiijdh.to 2->66 68 hugrhusghufiiih.to 2->68 70 eaougheofhuoaeh.to 2->70 78 Multi AV Scanner detection for domain / URL 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 Multi AV Scanner detection for submitted file 2->82 86 3 other signatures 2->86 10 SecuriteInfo.com.Win32.DH_YQkDRA.5848.exe 2 2 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        signatures3 84 Tries to resolve many domain names, but no domain seems valid 68->84 process4 file5 58 C:\462579629763\svchost.exe, PE32 10->58 dropped 112 Drops PE files with benign system names 10->112 114 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->114 20 svchost.exe 7 27 10->20         started        signatures6 process7 dnsIp8 72 tldrbox.ws 217.8.117.10, 49723, 49724, 49725 CREXFEXPEX-RUSSIARU Russian Federation 20->72 74 lwoekouututeuoh.to 20->74 76 39 other IPs or domains 20->76 50 C:\Users\user\AppData\...\2393834357.exe, data 20->50 dropped 52 C:\Users\user\AppData\...\2167819662.exe, data 20->52 dropped 54 C:\Users\user\AppData\...\1991911000.exe, data 20->54 dropped 98 Antivirus detection for dropped file 20->98 100 Multi AV Scanner detection for dropped file 20->100 102 Changes security center settings (notifications, updates, antivirus, firewall) 20->102 106 2 other signatures 20->106 25 1991911000.exe 2 20->25         started        29 2167819662.exe 20->29         started        31 2393834357.exe 20->31         started        file9 104 Tries to resolve many domain names, but no domain seems valid 74->104 signatures10 process11 file12 56 C:\284391759423874\svchost.exe, PE32 25->56 dropped 108 Drops PE files with benign system names 25->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->110 33 svchost.exe 20 25->33         started        signatures13 process14 dnsIp15 60 ufhuehfuigiijdz.top 33->60 62 lwoekouututeuoz.top 33->62 64 25 other IPs or domains 33->64 44 C:\Users\user\AppData\...\3887930152.exe, data 33->44 dropped 46 C:\Users\user\AppData\...\2685610611.exe, data 33->46 dropped 48 C:\Users\user\AppData\...\2315719580.exe, data 33->48 dropped 88 Antivirus detection for dropped file 33->88 90 System process connects to network (likely due to code injection or exploit) 33->90 92 Multi AV Scanner detection for dropped file 33->92 96 2 other signatures 33->96 38 3887930152.exe 33->38         started        40 2685610611.exe 33->40         started        42 2315719580.exe 33->42         started        file16 94 Tries to resolve many domain names, but no domain seems valid 62->94 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da/
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 10:33:20 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwzljsc5m7xf2kkbb4cbc53l5cgefiq56tavhobr3okwf55f7dna._file
Verdict:
malicious
Similar samples:
3ebe7729fe5d80990333d4c0255af3b23e4ec2c1f61b9ea563eeb3e050943735
Phorpiex
43a2a98bb50daedc36c6f08ab5698638de59f80ad30f9754b8ff690d90c088f3
Phorpiex
4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
Phorpiex
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
Phorpiex
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
Phorpiex
ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4
Phorpiex
b901f2320a7011a69a6b7013bc99be0e904f55f1bc37b3091b014e894bc3db24
Phorpiex
d03c04a685a0a4f735c0456cb4d1073792a19ea0fbf18a0c28d7b445798a4a18
Phorpiex
d073113b0667727d37e9c798f33cecf60b698e4d8c13f68ec8c6c75cd18ba7fe
Phorpiex
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
Phorpiex
+ 308 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence
Link:
https://tria.ge/reports/200722-j66symd1vs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Windows security modification
Windows security modification
Executes dropped EXE
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_phorpiex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/31368/
  
URLhaus
https://urlhaus.abuse.ch/url/407162/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399893/
  
URLhaus
https://urlhaus.abuse.ch/url/399892/
  
URLhaus
https://urlhaus.abuse.ch/url/399894/
  
URLhaus
https://urlhaus.abuse.ch/url/399897/
  
URLhaus
https://urlhaus.abuse.ch/url/381820/
  
URLhaus
https://urlhaus.abuse.ch/url/381816/
  
URLhaus
https://urlhaus.abuse.ch/url/381982/
  
URLhaus
https://urlhaus.abuse.ch/url/373730/
  
URLhaus
https://urlhaus.abuse.ch/url/373420/
  
URLhaus
https://urlhaus.abuse.ch/url/373658/
  
URLhaus
https://urlhaus.abuse.ch/url/347735/
  
URLhaus
https://urlhaus.abuse.ch/url/336680/
  
URLhaus
https://urlhaus.abuse.ch/url/373422/
  
URLhaus
https://urlhaus.abuse.ch/url/417974/

Comments