MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phorpiex

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6
SHA3-384 hash:	104bdb8c69099a9c2a6d700a8e30cdea6282812a8a68b834409ba1d268352585952c2163916e962808fc976f80143408
SHA1 hash:	6131ac02e5d8a14f22046e7743cbeebd3142f32f
MD5 hash:	b0449f002413531fcec8ee70a83837f8
humanhash:	bacon-robert-pasta-bravo
File name:	file
Download:	download sample
Signature	Phorpiex Create hunting rule
File size:	22'528 bytes
First seen:	2026-04-02 18:05:08 UTC
Last seen:	2026-04-04 08:12:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d0f945da54f20d8bcaf079f2d6ea9f63 (5 x Phorpiex)
ssdeep	384:Hu1OuPf4/S1fUrQFYhJ4JVB0WsNUnwnR:HNuPf4/IUrqY+xsN
Threatray	101 similar samples on MalwareBazaar
TLSH	T108A20806AA56534AF4B1187553B72E356439BE32270D94CFEF900A391274EE0FE3739A
TrID	34.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.7% (.EXE) Win64 Executable (generic) (6522/11/2) 10.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-phorpiex exe Phorpiex

Bitsight

url: http://178.16.54.109/5

Intelligence

File Origin

# of uploads :

169

# of downloads :

129

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2026-04-02 18:06:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/25066999-69b8-4c81-8327-eee76fc8005a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/60245/

Detection(s):

Win.Ransomware.Phorpiex-10059719-0

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Changing an executable file

Infecting executable files

Verdict:

Malicious

Labled as:

Ransom.GandCrab.Generic

Link:

https://www.hybrid-analysis.com/sample/ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-02T15:14:00Z UTC

Last seen:

2026-04-03T15:55:00Z UTC

Hits:

~1000

Detections:

HEUR:Virus.Win32.Zeropi.gen

Link:

https://opentip.kaspersky.com/ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6/results?tab=lookup

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c1f935cd-1ba7-4967-a81a-b53708db64ba

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/b0449f002413531fcec8ee70a83837f8

Detection:

phorpiex

Link:

https://mwdb.cert.pl/sample/ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6/

Verdict:

Malicious

Threat:

Family.PHORPHIEX

Link:

https://tip.neiki.dev/file/ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6

Threat name:

Win32.Ransomware.GandCrab

Status:

Malicious

First seen:

2026-04-02 18:05:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ycmhqs4x3sp2ey7murzwygczfg3aquoqzqhybuf47dban3lgtda._file

Verdict:

malicious

Label(s):

phorpiex

Phorpiex

4e6463620c3c1a001e7fb411bbfd7ca9f2b5bdffe0a84bb964b6fd5406bb232a

Phorpiex

98e5fdce85ab8e17472f95eecb4c22f08a28933828e0afd0b5db831fe222e373

Phorpiex

d98ed47b52155dc6a158f960dc2184153d84e8886d9a8fef439c73f6353138f8

Phorpiex

error

Phorpiex

+ 91 additional samples on MalwareBazaar

Result

Malware family:

phorphiex

Score:

10/10

Tags:

family:phorphiex discovery spyware stealer

Link:

https://tria.ge/reports/260402-wpbbsacy5t/

Behaviour

System Location Discovery: System Language Discovery

Reads user/profile data of web browsers

Malware Config

C2 Extraction:

178.16.54.109

Unpacked files

SH256 hash:

ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6

MD5 hash:

b0449f002413531fcec8ee70a83837f8

SHA1 hash:

6131ac02e5d8a14f22046e7743cbeebd3142f32f

Link:

https://www.unpac.me/results/c53890d4-4751-48ed-82a6-725e83899716/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ee04c3c25cbee4fd131f65239b60c2c94db0428e86607c0685e7c610376b34c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.