MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3
SHA3-384 hash: 73dd2060ef299fa1b3230d5827aaa862a02e988860d3117020a70836c206f7e900f0a67fb30ffe56eae64a1001762c2a
SHA1 hash: 4952cbfbdec300c048808d79ee431972b8a7ba84
MD5 hash: e2e3268f813a0c5128ff8347cbaa58c8
humanhash: lima-stream-eleven-early
File name:e2e3268f813a0c5128ff8347cbaa58c8.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:80'896 bytes
First seen:2024-07-19 10:14:00 UTC
Last seen:2024-07-19 11:56:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e3b708193fe03ba1bfd096b4ae42f3b9 (2 x Phorpiex)
ssdeep 1536:W9mw4/inFmav82TmKtj+5qUPsY3BCHYJhcWPA4G9kj3K1:CmwohOBiPsWMH4ogj3K
Threatray 390 similar samples on MalwareBazaar
TLSH T1BF832800F6D0863AF0F701FBD2BB166A5D2CEFF4630554EB5395A8AF6B249C0A931167
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
440
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
Setup.zip
Verdict:
Malicious activity
Analysis date:
2024-07-18 01:07:07 UTC
Tags:
phorpiex loader opendir zphp lumma stealer metastealer redline ssh telegram evasion vidar stealc risepro djvu ransomware stop python dcrat upx themida raccoonclipper
Link:
https://app.any.run/tasks/58480311-a036-4447-be4c-94c627da1f7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.2135.4610.21110.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669a3c6eb302ab76f447f882
Tags:
Execution Generic Infostealer Network Stealth Trojan Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a window
Launching a process
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Disabling the operating system update service
Blocking the Windows Security Center notifications
Connection attempt to an infection source
Creating a file in the mass storage device
Enabling a "Do not show hidden files" option
Adding an exclusion to Microsoft Defender
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f267618-483a-46ab-ac95-f75b73548a10
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1476716
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Notepad Making Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Stops critical windows services
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1476716 Sample: 3YHDfHLvo4.exe Startdate: 19/07/2024 Architecture: WINDOWS Score: 100 110 Snort IDS alert for network traffic 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 17 other signatures 2->116 9 3YHDfHLvo4.exe 1 1 2->9         started        13 wupgrdsv.exe 2->13         started        15 powershell.exe 37 2->15         started        17 3 other processes 2->17 process3 file4 70 C:\Windows\sysarddrvs.exe, PE32 9->70 dropped 132 Contains functionality to check if Internet connection is working 9->132 134 Drops executables to the windows directory (C:\Windows) and starts them 9->134 136 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->136 138 Contains functionality to detect sleep reduction / modifications 9->138 19 sysarddrvs.exe 8 30 9->19         started        72 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 13->72 dropped 74 C:\Users\user\AppData\...\tvaifjwjgvdx.tmp, PE32+ 13->74 dropped 140 Suspicious powershell command line found 13->140 142 Found strings related to Crypto-Mining 13->142 144 Writes to foreign memory regions 13->144 148 4 other signatures 13->148 24 notepad.exe 13->24         started        146 Loading BitLocker PowerShell Module 15->146 26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        signatures5 process6 dnsIp7 84 185.215.113.66, 49730, 49732, 49734 WHOLESALECONNECTIONSNL Portugal 19->84 86 2.185.76.79, 40500 TCIIR Iran (ISLAMIC Republic Of) 19->86 88 8 other IPs or domains 19->88 62 C:\Users\user\AppData\...\2908619120.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\...\2014116813.exe, PE32 19->64 dropped 66 C:\Users\user\AppData\...\1048413556.exe, PE32 19->66 dropped 68 2 other malicious files 19->68 dropped 118 Antivirus detection for dropped file 19->118 120 Multi AV Scanner detection for dropped file 19->120 122 Found evasive API chain (may stop execution after checking mutex) 19->122 130 7 other signatures 19->130 30 2014116813.exe 15 19->30         started        35 2908619120.exe 1 1 19->35         started        37 cmd.exe 1 19->37         started        39 2 other processes 19->39 124 System process connects to network (likely due to code injection or exploit) 24->124 126 Query firmware table information (likely to detect VMs) 24->126 file8 128 Detected Stratum mining protocol 84->128 signatures9 process10 dnsIp11 94 185.215.113.84, 49736, 80 WHOLESALECONNECTIONSNL Portugal 30->94 78 C:\Users\user\AppData\...\3174319660.exe, PE32+ 30->78 dropped 80 C:\Users\user\AppData\Local\...\nxmr[1].exe, PE32+ 30->80 dropped 96 Multi AV Scanner detection for dropped file 30->96 98 Machine Learning detection for dropped file 30->98 100 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->100 41 3174319660.exe 2 30->41         started        82 C:\Windows\winblrsnrcs.exe, PE32 35->82 dropped 102 Drops executables to the windows directory (C:\Windows) and starts them 35->102 45 winblrsnrcs.exe 12 35->45         started        104 Adds a directory exclusion to Windows Defender 37->104 106 Stops critical windows services 37->106 48 powershell.exe 23 37->48         started        50 conhost.exe 37->50         started        108 Antivirus detection for dropped file 39->108 52 sc.exe 1 39->52         started        54 conhost.exe 39->54         started        56 sc.exe 1 39->56         started        58 3 other processes 39->58 file12 signatures13 process14 dnsIp15 76 C:\Users\user\Windows Upgrade\wupgrdsv.exe, PE32+ 41->76 dropped 150 Antivirus detection for dropped file 41->150 152 Multi AV Scanner detection for dropped file 41->152 154 Suspicious powershell command line found 41->154 156 Found direct / indirect Syscall (likely to bypass EDR) 41->156 90 91.202.233.141, 49748, 49749, 49750 M247GB Russian Federation 45->90 92 77.91.77.92, 49740, 49742, 49744 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 45->92 158 Machine Learning detection for dropped file 45->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->160 162 Loading BitLocker PowerShell Module 48->162 60 conhost.exe 52->60         started        file16 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2024-07-17 23:11:14 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3c4d66hnsbnhsshc4hrxd4hzaw6kvk53gfggsl7oicfekt4dhcrq._file
Verdict:
malicious
Similar samples:
2d8e32c754bf325d82c3f84f4bbf61c2e62c3e63b2b1c50a2a3e1948997c2531
Phorpiex
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
Phorpiex
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
Phorpiex
a4f28434997c1cf2574eb37da2c23234e46f6f9f774c79d2e77031efead7773a
Phorpiex
+ 380 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex family:xmrig evasion execution loader miner persistence trojan worm
Link:
https://tria.ge/reports/240719-l9m6zawapr/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stops running service(s)
XMRig Miner payload
Modifies security service
Phorphiex payload
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2938c570-0e4c-463f-8435-b3ad187bea80
Unpacked files
SH256 hash:
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3
MD5 hash:
e2e3268f813a0c5128ff8347cbaa58c8
SHA1 hash:
4952cbfbdec300c048808d79ee431972b8a7ba84
Detections:
phorphiex
Create hunting rule
Link:
https://www.unpac.me/results/88285adf-574b-4fdf-b593-0662c1c41d13/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d8b83f78ed90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetDiskFreeSpaceExW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptGenRandom
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect
WS2_32.dll::WSAGetOverlappedResult
WS2_32.dll::WSARecv
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExW

Comments