MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
SHA3-384 hash: fb9a8cd822fc6530fd69099558de94404da7fe2b85ae4461aced817c615b67e3423a42c058587cdde667410bf6332f47
SHA1 hash: a71705075250ad01e1bf17db23a9dc560803adc1
MD5 hash: 371f00c6fdf9ee7012b15d210449b386
humanhash: iowa-alabama-princess-beer
File name:371f00c6fdf9ee7012b15d210449b386.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:114'688 bytes
First seen:2020-11-07 07:40:45 UTC
Last seen:2020-11-07 09:41:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9668b7091de4529d55cf638b279f602e (4 x Phorpiex, 1 x Smoke Loader)
ssdeep 1536:jGKeS9HDl/G3akhXeFQxy3rxwWcUhFux0Y0fl6WQLQQtr8asRXOK/B/OSD:jBeQR/G3akxeFQxirs/0d6tb8TOKpt
Threatray 18 similar samples on MalwareBazaar
TLSH 6DB36B555D0A8890F3E04978AF39DF3B4A6D6CB91B960877F3D12E8330B5F93C925624
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.14421.31596.116.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Searching for the window
Searching for many windows
DNS request
Sending an HTTP GET request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating a special LNK file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523688
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 310939 Sample: 6FRRo6QFF2.exe Startdate: 07/11/2020 Architecture: WINDOWS Score: 100 71 wdkowdohwodhfhfb.to 2->71 73 seuufhehfueugheh.top 2->73 75 9 other IPs or domains 2->75 103 Antivirus detection for URL or domain 2->103 105 Antivirus / Scanner detection for submitted sample 2->105 107 Multi AV Scanner detection for submitted file 2->107 111 6 other signatures 2->111 10 6FRRo6QFF2.exe 2 16 2->10         started        15 svchost.exe 14 2->15         started        17 svchost.exe 13 2->17         started        19 10 other processes 2->19 signatures3 109 Tries to resolve many domain names, but no domain seems valid 73->109 process4 dnsIp5 89 api.wipmania.com 212.83.168.196, 49720, 49727, 49731 OnlineSASFR France 10->89 63 C:\5451224415524\svchost.exe, PE32 10->63 dropped 133 Drops PE files with benign system names 10->133 135 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->135 21 svchost.exe 4 24 10->21         started        91 trikhaus.top 127.0.0.1 unknown unknown 19->91 26 MpCmdRun.exe 19->26         started        file6 signatures7 process8 dnsIp9 77 wduufbaueeubffgb.to 21->77 79 okdoekeoehghaoeb.to 21->79 81 26 other IPs or domains 21->81 51 C:\Users\user\AppData\...\2217933148.exe, data 21->51 dropped 53 C:\Users\user\AppData\...\1982414911.exe, data 21->53 dropped 55 C:\Users\user\AppData\...\1286226641.exe, data 21->55 dropped 113 Antivirus detection for dropped file 21->113 115 Multi AV Scanner detection for dropped file 21->115 117 Changes security center settings (notifications, updates, antivirus, firewall) 21->117 121 2 other signatures 21->121 28 1982414911.exe 15 21->28         started        33 1286226641.exe 15 21->33         started        35 2217933148.exe 13 21->35         started        37 conhost.exe 26->37         started        file10 119 Tries to resolve many domain names, but no domain seems valid 79->119 signatures11 process12 dnsIp13 93 api.wipmania.com 28->93 65 C:\258342606122373\svchost.exe, PE32 28->65 dropped 137 Drops PE files with benign system names 28->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->139 39 svchost.exe 28->39         started        95 trik.ws 33->95 67 C:\Users\user\AppData\Local\Temp\36729.exe, PE32 33->67 dropped 69 C:\Users\user\AppData\...\winsysdrv[1].exe, PE32 33->69 dropped 97 api.wipmania.com 35->97 file14 signatures15 process16 dnsIp17 83 faugzeazdezgzgfu.ws 39->83 85 wduufbaueeubffgu.ws 39->85 87 8 other IPs or domains 39->87 57 C:\Users\user\AppData\...\3471919454.exe, data 39->57 dropped 59 C:\Users\user\AppData\...\2918815666.exe, data 39->59 dropped 61 C:\Users\user\AppData\...\2267926140.exe, data 39->61 dropped 123 Antivirus detection for dropped file 39->123 125 System process connects to network (likely due to code injection or exploit) 39->125 127 Multi AV Scanner detection for dropped file 39->127 131 2 other signatures 39->131 44 3471919454.exe 39->44         started        47 2267926140.exe 39->47         started        49 2918815666.exe 39->49         started        file18 129 Tries to resolve many domain names, but no domain seems valid 83->129 signatures19 process20 dnsIp21 99 api.wipmania.com 44->99 101 api.wipmania.com 47->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579/
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2020-11-07 00:59:22 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bj4dh76eo3obnmbmu4vx7i62enz36mb5gnmr5xvz7u7zpo5ev4q._file
Verdict:
suspicious
Similar samples:
251960c51a68122710e9f928d7ea49ea52573f6e9af906e47ce91cfd518e39a7
Phorpiex
4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
Phorpiex
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
Phorpiex
64cc82160edccda2bfd82d92b429ea0f98dcda9659a5c757b2748119847f5532
Phorpiex
7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858
Phorpiex
c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
Phorpiex
cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
Phorpiex
cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da
Phorpiex
d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070
Phorpiex
e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63
Phorpiex
+ 8 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex evasion loader persistence trojan worm
Link:
https://tria.ge/reports/201107-zey2h79vce/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Phorphiex Payload
Phorphiex Worm
Windows security bypass
Unpacked files
SH256 hash:
e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
MD5 hash:
371f00c6fdf9ee7012b15d210449b386
SHA1 hash:
a71705075250ad01e1bf17db23a9dc560803adc1
Detections:
win_phorpiex_auto
Create hunting rule
Link:
https://www.unpac.me/results/aba88d58-6d80-4498-ae2c-ea8ee14cf730/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/399897/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/373420/
  
URLhaus
https://urlhaus.abuse.ch/url/347735/
  
URLhaus
https://urlhaus.abuse.ch/url/373658/
  
URLhaus
https://urlhaus.abuse.ch/url/623138/
  
URLhaus
https://urlhaus.abuse.ch/url/399894/
  
URLhaus
https://urlhaus.abuse.ch/url/399892/
  
URLhaus
https://urlhaus.abuse.ch/url/432782/
  
URLhaus
https://urlhaus.abuse.ch/url/336680/
  
URLhaus
https://urlhaus.abuse.ch/url/455792/
  
URLhaus
https://urlhaus.abuse.ch/url/432795/
  
URLhaus
https://urlhaus.abuse.ch/url/623153/
  
URLhaus
https://urlhaus.abuse.ch/url/23071/
  
URLhaus
https://urlhaus.abuse.ch/url/621282/
  
URLhaus
https://urlhaus.abuse.ch/url/621501/

Comments