MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec13e9d840cb34726ee7f6cd9e932ee72e6657dfb3e15c8fddc0a033dd439da6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec13e9d840cb34726ee7f6cd9e932ee72e6657dfb3e15c8fddc0a033dd439da6
SHA3-384 hash: 21def7e592e3c1a7e00d182d7ce7b62942546c59219166798882990d007fca3a47fdebc9b826a6e6f761da695ea11c4c
SHA1 hash: 8f58673e1ec16c5a18aaf96f9526f745fcd190db
MD5 hash: 2e9f0f6448faa6925659b178a6842841
humanhash: alaska-lamp-failed-comet
File name:2e9f0f6448faa6925659b178a6842841
Download: download sample
Signature Phorpiex
Create hunting rule
File size:20'480 bytes
First seen:2023-08-17 04:13:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb0ee5bafbb99ce467989526f0be15c6 (11 x Phorpiex)
ssdeep 384:X0piP0DWvqASUAzYAtlYxJ4JVB00xgMSKRj:XP0ivCUIDYOvxg
Threatray 18 similar samples on MalwareBazaar
TLSH T17792190699569357E87628B063B31D21A07DBE72631D95CFFB8005391670ED4FE3335A
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e9f0f6448faa6925659b178a6842841
Verdict:
Malicious activity
Analysis date:
2023-08-17 04:15:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd5a506c-b596-429a-a8b0-ab8ff4584e38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443121/
Detection(s):
SecuriteInfo.com.Variant.Ransom.GandCrab.2664.2546.5229.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Changing an executable file
Infecting executable files
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103016/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Verdict:
Malicious
Labled as:
Ransom.GandCrab.Generic
Link:
https://www.hybrid-analysis.com/sample/ec13e9d840cb34726ee7f6cd9e932ee72e6657dfb3e15c8fddc0a033dd439da6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb1d3501-adaf-498e-97d6-ab3e9bec11eb
Result
Threat name:
Phorpiex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1292565
Signature
Antivirus detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Phorpiex
Behaviour
Behavior Graph:
Download SVG
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec13e9d840cb34726ee7f6cd9e932ee72e6657dfb3e15c8fddc0a033dd439da6/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2023-08-16 18:15:15 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qj6twcazm2he3xh63gz5ezo44xgmv67wpqvzd65ycqdhxkdtwta._file
Verdict:
malicious
Similar samples:
5c8d519b601447d102fc9b2f83b894bf15939506a3ad8aa53fa535de36121ce7
Phorpiex
78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef
Phorpiex
90e109884750afed408867ab5d697d56b53620027d91a466a338a90f53ebbe02
Phorpiex
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
Phorpiex
9dfff09e8395e8d195eaadf35bfb371eea2bf78d6842d7a26623c2824bb8826e
Phorpiex
a664a127c2ec79265a10441a789e02d44bfce8688ab6d459dc005c748720950f
Phorpiex
c1a6b3ae4be356a4953260388a0724f991abdb7eb28da6ab0ec4a7f57200a586
Phorpiex
ce87790b45cd1822a71e4d81733ec535a8aa5c42ec48f3593b14c5049ab635e6
Phorpiex
fcee0963cad730563a9db640db4adae6c526ea66af6c5add025debcf17b7f8ab
Phorpiex
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230817-etm3psfc22/
Behaviour
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ec13e9d840cb34726ee7f6cd9e932ee72e6657dfb3e15c8fddc0a033dd439da6
MD5 hash:
2e9f0f6448faa6925659b178a6842841
SHA1 hash:
8f58673e1ec16c5a18aaf96f9526f745fcd190db
Link:
https://www.unpac.me/results/75ce4b0c-7981-41ca-86e2-cfa1c1e41508/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec13e9d840cb34726ee7f6cd9e932ee72e6657dfb3e15c8fddc0a033dd439da6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe ec13e9d840cb34726ee7f6cd9e932ee72e6657dfb3e15c8fddc0a033dd439da6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2540968/
Cape
Cape
https://www.capesandbox.com/analysis/443121/

Comments


Avatar
zbet commented on 2023-08-17 04:13:51 UTC

url : hxxp://185.215.113.66/newpinf.exe