MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
SHA3-384 hash: 602b20fb37ae598b3216d1bf3cc8b1dfed9ae7c2467f7870f57c06993325a470a47777a0c30455ef6394a2f2bffe188e
SHA1 hash: 0629d26e09f45aea2a3c06580a82dbc9f94fe386
MD5 hash: 52776f7c163b7eb61219abd5b5af3973
humanhash: king-shade-kitten-single
File name:e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
Download: download sample
Signature Phorpiex
Create hunting rule
File size:465'496 bytes
First seen:2023-02-06 12:45:41 UTC
Last seen:2023-02-06 14:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dcbe94b8cc54b8e53867c61cc96811d6 (1 x Phorpiex, 1 x LummaStealer, 1 x ACRStealer)
ssdeep 12288:uymOcB+pwPprnVmLmDsC+FU+ZOSzt9tzt:uLOsDFncLmKDZOSzXFt
Threatray 64 similar samples on MalwareBazaar
TLSH T169A46D32A7A05033D6F105B3F914D6307E7DA2296F1089ABD3949D2D3EA84D6A7F7213
TrID 74.9% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.0% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter adrian__luca
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
e085c86990a0c1bd74cc290eaef3144f.exe
Verdict:
Malicious activity
Analysis date:
2023-01-22 17:35:40 UTC
Tags:
loader trojan phorpiex
Link:
https://app.any.run/tasks/e35bb1bd-62a8-4c34-a24e-53728c17a55f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360846/
Detection(s):
SecuriteInfo.com.Variant.Zusy.420086.1119.3382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
DNS request
Sending a UDP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65755/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll virus zusy
Link:
https://www.filescan.io/uploads/63e0f68d96add6d1cf49c76e/reports/cd8c88d9-3569-4a1b-b4e4-42cf37dea824/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/803039b4-fea2-44d0-8642-57a54a4ae322
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166614
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799386 Sample: VzZdPuMkMm.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic 2->93 95 Antivirus detection for URL or domain 2->95 97 Antivirus detection for dropped file 2->97 99 9 other signatures 2->99 10 VzZdPuMkMm.exe 18 2->10         started        15 winsvrupd.exe 2->15         started        17 powershell.exe 35 2->17         started        19 11 other processes 2->19 process3 dnsIp4 85 185.215.113.66, 49709, 49710, 49716 WHOLESALECONNECTIONSNL Portugal 10->85 71 C:\Users\user\AppData\Local\Temp\4F1B.exe, PE32 10->71 dropped 73 C:\Users\user\AppData\Local\...\npp[1].exe, PE32 10->73 dropped 127 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->127 129 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->129 21 4F1B.exe 18 10->21         started        75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 15->75 dropped 77 C:\Users\user\AppData\Local\...\mpnsrsgv.tmp, PE32+ 15->77 dropped 131 Writes to foreign memory regions 15->131 133 Modifies the context of a thread in another process (thread injection) 15->133 135 Maps a DLL or memory area into another process 15->135 137 Sample is not signed and drops a device driver 15->137 26 cmd.exe 15->26         started        139 Uses schtasks.exe or at.exe to add and modify task schedules 17->139 28 conhost.exe 17->28         started        141 Query firmware table information (likely to detect VMs) 19->141 30 MpCmdRun.exe 19->30         started        32 conhost.exe 19->32         started        34 schtasks.exe 19->34         started        36 3 other processes 19->36 file5 signatures6 process7 dnsIp8 83 185.215.113.84, 49713, 49720, 49739 WHOLESALECONNECTIONSNL Portugal 21->83 63 C:\Users\user\AppData\...\1534818282.exe, PE32 21->63 dropped 65 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 21->65 dropped 107 Antivirus detection for dropped file 21->107 109 Machine Learning detection for dropped file 21->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->111 38 1534818282.exe 1 1 21->38         started        113 Query firmware table information (likely to detect VMs) 26->113 42 conhost.exe 30->42         started        file9 115 Detected Stratum mining protocol 83->115 signatures10 process11 file12 67 C:\Windows\sysagrsv.exe, PE32 38->67 dropped 117 Antivirus detection for dropped file 38->117 119 Multi AV Scanner detection for dropped file 38->119 121 Found evasive API chain (may stop execution after checking mutex) 38->121 123 5 other signatures 38->123 44 sysagrsv.exe 7 20 38->44         started        signatures13 process14 dnsIp15 87 31.186.54.5, 40500 AKNET-ASKG Kyrgyzstan 44->87 89 100.70.71.70, 40500 UUNETUS Reserved 44->89 91 25 other IPs or domains 44->91 79 C:\Users\user\AppData\...\3163610126.exe, PE32 44->79 dropped 81 C:\Users\user\AppData\...\2761716769.exe, PE32 44->81 dropped 143 Antivirus detection for dropped file 44->143 145 Found evasive API chain (may stop execution after checking mutex) 44->145 147 Contains functionality to check if Internet connection is working 44->147 149 4 other signatures 44->149 49 2761716769.exe 15 44->49         started        53 3163610126.exe 44->53         started        file16 signatures17 process18 file19 59 C:\Users\user\AppData\...\2412021078.exe, PE32+ 49->59 dropped 61 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32+ 49->61 dropped 101 Antivirus detection for dropped file 49->101 103 Machine Learning detection for dropped file 49->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->105 55 2412021078.exe 3 49->55         started        signatures20 process21 file22 69 C:\Users\user\...\winsvrupd.exe, PE32+ 55->69 dropped 125 Antivirus detection for dropped file 55->125 signatures23
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 15:30:23 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zsdmtohzr27k3o6zkpji2yqztcu2buko5t6larbgsitabxttmoa._file
Verdict:
malicious
Similar samples:
0c36cf74963333c9fec0b0501043eb38761b76b76946539f374c1c320a7a5dc9
Phorpiex
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
Phorpiex
48214f32e63f85fe88aff17257a746862d7530bce20b2dfc7a7b942743374a31
Phorpiex
5c8d519b601447d102fc9b2f83b894bf15939506a3ad8aa53fa535de36121ce7
Phorpiex
764621435395609860a78ef6d107832fb9bb7f41f02c0bf11a180d9309c008aa
Phorpiex
78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef
Phorpiex
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
Phorpiex
959ed7f57b49523114b54616f2f5bdb40c78cd1fcf8f506d3bc3721e833cee03
Phorpiex
c57a898f765280e3f0ad6d6fa944c6e2c19838e9cf4389be1782c0a86706b849
Phorpiex
cb541b99627ce8472599a1145595037b9314cb616d2d5c54e5cf139074237034
Phorpiex
+ 54 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex evasion loader persistence trojan worm
Link:
https://tria.ge/reports/230206-pzmz1ahb9s/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Phorphiex
Windows security bypass
Malware Config
C2 Extraction:
http://185.215.113.66/
Unpacked files
SH256 hash:
e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
MD5 hash:
52776f7c163b7eb61219abd5b5af3973
SHA1 hash:
0629d26e09f45aea2a3c06580a82dbc9f94fe386
Link:
https://www.unpac.me/results/3eff93cd-f4fb-4945-9e09-ec1d0d3707e1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e664364dc7cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360846/

Comments