MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phorpiex

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments 1

SHA256 hash:	ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA3-384 hash:	a0c74cfde904b175ac08d4cfa739d4569361d93050efb73345b0da57f3b258e3205c92c098cb513cefcc84af4152692f
SHA1 hash:	cdff6ddd67f17385f283a0f9e8de76731f11a9b6
MD5 hash:	5741eadfc89a1352c61f1ff0a5c01c06
humanhash:	lemon-triple-nuts-stream
File name:	5741eadfc89a1352c61f1ff0a5c01c06
Download:	download sample
Signature	Phorpiex Create hunting rule
File size:	77'312 bytes
First seen:	2022-07-16 04:49:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2f2316fb946682a102e453a8ae405904 (5 x Phorpiex)
ssdeep	1536:03Mz8GuoohIUXrtvWhzNmgrZBVnWw7V15FvV:vwGu/XpOh5mgrVnj7V15Fv
Threatray	13 similar samples on MalwareBazaar
TLSH	T143732910F6D0C03BF0F740FBD2FB05AA592CAFB4134698EB52D9A89B5B215D1B936463
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe Phorpiex

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/290775/

Detection(s):

Win.Malware.Phorpiex-9938809-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the Windows directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Searching for many windows

Creating a window

DNS request

Sending a UDP request

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Blocking the Windows Security Center notifications

Creating a file in the mass storage device

Enabling threat expansion on mass storage devices

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26259/overview

Behaviour

MalwareBazaar

CallSleep

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f427c4ca-b2dd-4c02-96bc-5d309b22fa1f

Result

Threat name:

Phorpiex

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1033387

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to check if Internet connection is working

Contains functionality to detect sleep reduction / modifications

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Phorpiex

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3/

Threat name:

Win32.Trojan.ClipBanker

Status:

Malicious

First seen:

2022-07-15 07:31:43 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jia255kxq6j2raeqaacypy5f4uxpj7ymdzveyhn3kfcmqdmuhbq._file

Verdict:

malicious

Phorpiex

52ba74cb8d846646b2b59b2a618e470416ef0ec40059420c0951db00b56e9b99

Phorpiex

555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99

Phorpiex

9ac6aabe5f916e190055913ff7b161356c5b4e5e3d99b5036cf3675751bc765a

Phorpiex

ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800

Phorpiex

+ 3 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence trojan

Link:

https://tria.ge/reports/220716-ff9j8agff5/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Adds Run key to start application

Windows security modification

Executes dropped EXE

Windows security bypass

Unpacked files

SH256 hash:

ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3

MD5 hash:

5741eadfc89a1352c61f1ff0a5c01c06

SHA1 hash:

cdff6ddd67f17385f283a0f9e8de76731f11a9b6

Link:

https://www.unpac.me/results/b2840e05-01c6-43a4-b7c2-b78a8a1aff8c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ea500d77aabc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.