MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615
SHA3-384 hash: 502adee131e01769f04c18c1af72b907e8ed679affb273c9fab636bc6818fa22ae921209e2b85b459580f9dbe934f344
SHA1 hash: c1411e9928f499a410d7fa6ea457dfc9b84c1585
MD5 hash: cf13cffe8ffb96c8197d94f431576b6f
humanhash: violet-purple-louisiana-table
File name:file
Download: download sample
Signature Phorpiex
Create hunting rule
File size:114'688 bytes
First seen:2026-06-04 17:28:40 UTC
Last seen:2026-06-04 19:45:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c6cbbdd643acf2dc6daa2bfb97e98d80 (15 x Phorpiex)
ssdeep 1536:5jKtSmJd7d52Dr59gzmkVa8S9rL2sFTfEcvSn0Mv3fx/h5Km26E8Yj29:ZKtS2d6oS8S1LFTfHm3fx/h5Kmuzj0
Threatray 35 similar samples on MalwareBazaar
TLSH T1DBB38E1030C1C432E566117988AAC7B98A6EF8710F756BD7FFC406AD8F366D19A36387
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-phorpiex exe Phorpiex


Avatar
Bitsight
url: http://178.16.54.109/5

Intelligence

File Origin
# of uploads :
79
# of downloads :
140
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-04 17:30:56 UTC
Tags:
ip-check evasion
Link:
https://app.any.run/tasks/b82d6a72-6c42-4828-bfe7-a12f86e35f1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69027/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a21b5f057b7bf261d60dff2
Tags:
dropper virus agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug evasive explorer fingerprint lolbin microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6a21b5ee12da0d249c651fe9/reports/51b800c4-fa51-4a9e-99a1-006db1629817/overview
Verdict:
Malicious
Labled as:
Worm.Phorpiex.Generic
Link:
https://www.hybrid-analysis.com/sample/cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b096f04-7406-4b69-becf-9742f2aab2b4
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615/
Verdict:
Malicious
Threat:
Trojan.Win32.Agentb
Link:
https://tip.neiki.dev/file/cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2026-06-04 17:29:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7wn5yzgtdiz533lwlkjv7w65s6nv3ujijhzjzpgpzijoygueykq._file
Verdict:
malicious
Label(s):
phorpiex
Create hunting rule
Similar samples:
0371fbbff34ec41ee9ae007482edbcb75f1749661b863da3a2ffe86638cd62a3
Phorpiex
638bee1130007af009e628efbd6aed9b7b0c88c9184513e1928cf7e0eba215e0
Phorpiex
9570038453a8b3caa9e7a0af56ef77cee9cfb314c357e62f4350fb99f6afc51f
Phorpiex
a1e6596aebf29245f949787234fa4258a2978cdf86275224af0700899f4b6704
Phorpiex
e50d0e5abf23d4cdb1021c0db51572a785150f0a797fbe57b203b54c26c086e1
Phorpiex
error
Phorpiex
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/260604-v2pjhabt9t/
Behaviour
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Unpacked files
SH256 hash:
cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615
MD5 hash:
cf13cffe8ffb96c8197d94f431576b6f
SHA1 hash:
c1411e9928f499a410d7fa6ea457dfc9b84c1585
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/4b82eb6b-b71b-4bff-89e4-8ff6cf1354cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe cfecdee32698d19eef6bb2d49afedeecbcdaee89424f94e5e67e509760d42615

(this sample)

  
Dropped by
Phorpiex
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/69027/

Comments