MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
SHA3-384 hash: fba9dde752f3d5f558e8ae76e8ac527577e9b2f879adbe2a668ab2490a466809717a5eccd2700eac64db202782306062
SHA1 hash: 612d1261bce41723b0a981c92bf9f186c9d46fe2
MD5 hash: 96de9c78028eaec7cd06d8e3e755ffc4
humanhash: may-lactose-william-ohio
File name:96de9c78028eaec7cd06d8e3e755ffc4.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:77'312 bytes
First seen:2022-09-06 05:52:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f2316fb946682a102e453a8ae405904 (5 x Phorpiex)
ssdeep 1536:K3Mz8j5ZOooa0kCOrtEH1jBfSuh7wi5FLDtC:xwNZO3OpQ1VfPEi5Fft
Threatray 210 similar samples on MalwareBazaar
TLSH T1BB732810F6C0C13AF0F740FBD2BB05BA592CAFB4534698E712D9A89B5B315D1B9364A3
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
96de9c78028eaec7cd06d8e3e755ffc4.exe
Verdict:
Malicious activity
Analysis date:
2022-09-06 05:53:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a56edffb-cb1f-4190-b22a-efaf9164520d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308042/
Detection(s):
Win.Malware.Phorpiex-9938809-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for many windows
Creating a window
Sending a UDP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36738/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware phorpiex shell32.dll
Link:
https://www.filescan.io/uploads/6316e0b731a6d28c0ce4ecea/reports/f801c62f-fec7-45cc-a36e-609c68134ee2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d05953a3-1249-4248-930a-d01fd7c807e1
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065388
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 697914 Sample: 3rLbH0Gz5u.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 99 Snort IDS alert for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 105 12 other signatures 2->105 11 winuedrvs.exe 7 22 2->11         started        16 3rLbH0Gz5u.exe 1 1 2->16         started        18 usercfg.exe 9 2->18         started        20 usercfg.exe 2->20         started        process3 dnsIp4 91 185.215.113.66, 49739, 49740, 49746 WHOLESALECONNECTIONSNL Portugal 11->91 93 187.233.102.122, 40500 UninetSAdeCVMX Mexico 11->93 95 22 other IPs or domains 11->95 77 C:\Users\user\AppData\...\2449721981.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\...\2047828624.exe, PE32 11->79 dropped 137 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->137 22 2047828624.exe 15 11->22         started        27 2449721981.exe 1 11->27         started        81 C:\Windows\winuedrvs.exe, PE32 16->81 dropped 139 Found evasive API chain (may stop execution after checking mutex) 16->139 141 Contains functionality to check if Internet connection is working 16->141 143 Drops executables to the windows directory (C:\Windows) and starts them 16->143 145 Contains functionality to detect sleep reduction / modifications 16->145 29 winuedrvs.exe 16->29         started        83 C:\Users\user\AppData\...\sihost64.exe, PE32+ 18->83 dropped 85 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 18->85 dropped 87 C:\Users\user\AppData\Roaming\D6B.tmp, PE32+ 18->87 dropped 147 Sample is not signed and drops a device driver 18->147 149 Drops executable to a common third party application directory 18->149 31 sihost64.exe 18->31         started        33 cmd.exe 18->33         started        35 notepad.exe 18->35         started        37 cmd.exe 20->37         started        file5 signatures6 process7 dnsIp8 89 185.215.113.84, 49745, 49780, 5155 WHOLESALECONNECTIONSNL Portugal 22->89 71 C:\Users\user\AppData\...\2339822406.exe, PE32+ 22->71 dropped 73 C:\Users\user\AppData\Local\...\miner[1].exe, PE32+ 22->73 dropped 109 Antivirus detection for dropped file 22->109 111 Machine Learning detection for dropped file 22->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->113 39 2339822406.exe 6 22->39         started        115 Multi AV Scanner detection for dropped file 27->115 117 Found evasive API chain (may stop execution after checking mutex) 29->117 119 Contains functionality to check if Internet connection is working 29->119 121 Contains functionality to detect sleep reduction / modifications 29->121 123 Uses cmd line tools excessively to alter registry or file data 33->123 43 conhost.exe 33->43         started        45 reg.exe 33->45         started        125 Query firmware table information (likely to detect VMs) 35->125 47 conhost.exe 37->47         started        49 reg.exe 37->49         started        file9 127 Detected Stratum mining protocol 89->127 signatures10 process11 file12 75 C:\Users\user\...\usercfg.exe, PE32+ 39->75 dropped 129 Antivirus detection for dropped file 39->129 131 Multi AV Scanner detection for dropped file 39->131 133 Machine Learning detection for dropped file 39->133 135 Encrypted powershell cmdline option found 39->135 51 powershell.exe 14 39->51         started        53 cmd.exe 1 39->53         started        signatures13 process14 signatures15 56 usercfg.exe 4 51->56         started        58 conhost.exe 51->58         started        107 Uses cmd line tools excessively to alter registry or file data 53->107 60 conhost.exe 53->60         started        62 reg.exe 1 1 53->62         started        process16 process17 64 cmd.exe 56->64         started        signatures18 97 Uses cmd line tools excessively to alter registry or file data 64->97 67 conhost.exe 64->67         started        69 reg.exe 64->69         started        process19
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f/
Threat name:
Win32.Trojan.FWDisable
Create hunting rule
Status:
Malicious
First seen:
2022-09-04 04:34:42 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vqm7nm4mheh2dklgoxmzgfxjrmeoxdn3cr463z3z7zo4bouyrpq._file
Verdict:
malicious
Similar samples:
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
Phorpiex
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
Phorpiex
4be45155e4f00c417a85688e2d31587ee82fe60dfc5c81a7c901ea703a179017
Phorpiex
52ba74cb8d846646b2b59b2a618e470416ef0ec40059420c0951db00b56e9b99
Phorpiex
9ac6aabe5f916e190055913ff7b161356c5b4e5e3d99b5036cf3675751bc765a
Phorpiex
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
Phorpiex
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
Phorpiex
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
Phorpiex
ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
Phorpiex
+ 200 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex evasion loader persistence trojan worm
Link:
https://tria.ge/reports/220906-gla5aafhe3/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Phorphiex
Windows security bypass
Malware Config
C2 Extraction:
http://185.215.113.66/twizt/
Unpacked files
SH256 hash:
d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
MD5 hash:
96de9c78028eaec7cd06d8e3e755ffc4
SHA1 hash:
612d1261bce41723b0a981c92bf9f186c9d46fe2
Link:
https://www.unpac.me/results/72d6d32a-8802-45c3-83cd-f274be7b7c67/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d560cfb59c61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308042/

Comments