MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 17


Intelligence 17 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
SHA3-384 hash: 2f3653cd049374f245abee916d7531e84f303bd6b4d603d383904022bb4300a8597a673305657d1197990db04cb69973
SHA1 hash: 2e677b7cafc3a8ee1696dddf38b176191d256559
MD5 hash: cd3237b1e648d31b8761196b6c64da8a
humanhash: robert-tennessee-fix-tango
File name:ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
Download: download sample
Signature Phorpiex
Create hunting rule
File size:633'176 bytes
First seen:2024-10-26 05:24:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c07e5efde56d9f1c0ef5ac77ff9467b8 (1 x Phorpiex)
ssdeep 12288:QmKt6DsU6ngc3kY+KC5gzwGKZ4cuQW8XQAL019bqoFARwpVp:QR8Y+sxYWkX019bqgWwpVp
Threatray 73 similar samples on MalwareBazaar
TLSH T1D6D47C17E25511FDD06AD17D8B469922F6B178060B35BAEF039053272F2BAE45F3EB20
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter JAMESWT_WT
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
Verdict:
Malicious activity
Analysis date:
2024-10-26 05:29:13 UTC
Tags:
loader phorpiex miner
Link:
https://app.any.run/tasks/96be3234-b670-4c49-ab8b-d834b645be20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Ulise-9870412-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671c7e95a75e41aa67219870
Tags:
Powershell Phorpiex Xmrig Spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Disabling the operating system update service
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug fingerprint lolbin packed packer_detected shell32
Link:
https://www.filescan.io/uploads/671c7d30ae830d48b5db8c39/reports/0b975568-4c68-45f9-81b4-bfe22254c264/overview
Verdict:
Malicious
Labled as:
Ulise.Generic
Link:
https://www.hybrid-analysis.com/sample/ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/da426e80-cdef-41ea-99e3-3ba6a84f7b21
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1542688
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop multiple services
Stops critical windows services
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542688 Sample: T52Z708x2p.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 160 twizthash.net 2->160 162 twizt.net 2->162 206 Multi AV Scanner detection for domain / URL 2->206 208 Suricata IDS alerts for network traffic 2->208 210 Found malware configuration 2->210 212 16 other signatures 2->212 14 T52Z708x2p.exe 17 2->14         started        19 winupsecvmgr.exe 2->19         started        21 powershell.exe 2->21         started        23 6 other processes 2->23 signatures3 process4 dnsIp5 178 twizthash.net 185.215.113.66, 49714, 49732, 49795 WHOLESALECONNECTIONSNL Portugal 14->178 152 C:\Users\user\AppData\Local\Temp\70AF.exe, PE32 14->152 dropped 154 C:\Users\user\AppData\Local\...\pei[1].exe, PE32 14->154 dropped 180 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->180 25 70AF.exe 16 14->25         started        29 conhost.exe 14->29         started        156 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 19->156 dropped 158 C:\Users\user\AppData\...\jacrzswcvuml.tmp, PE32+ 19->158 dropped 182 Suspicious powershell command line found 19->182 184 Found strings related to Crypto-Mining 19->184 186 Writes to foreign memory regions 19->186 192 4 other signatures 19->192 31 conhost.exe 19->31         started        33 dwm.exe 19->33         started        188 Loading BitLocker PowerShell Module 21->188 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        file6 190 Detected Stratum mining protocol 178->190 signatures7 process8 file9 128 C:\Users\user\AppData\...\1706633239.exe, PE32 25->128 dropped 130 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 25->130 dropped 228 Multi AV Scanner detection for dropped file 25->228 230 Machine Learning detection for dropped file 25->230 232 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->232 41 1706633239.exe 1 1 25->41         started        234 Suspicious powershell command line found 31->234 236 Query firmware table information (likely to detect VMs) 33->236 signatures10 process11 file12 132 C:\Windows\sysppvrdnvs.exe, PE32 41->132 dropped 238 Antivirus detection for dropped file 41->238 240 Multi AV Scanner detection for dropped file 41->240 242 Found evasive API chain (may stop execution after checking mutex) 41->242 244 5 other signatures 41->244 45 sysppvrdnvs.exe 10 34 41->45         started        signatures13 process14 dnsIp15 166 146.70.53.161, 40500 TENET-1ZA United Kingdom 45->166 168 2.179.178.50, 40500 TCIIR Iran (ISLAMIC Republic Of) 45->168 170 12 other IPs or domains 45->170 134 C:\Users\user\AppData\Local\...\446629599.exe, PE32 45->134 dropped 136 C:\Users\user\AppData\Local\...\281653412.exe, PE32 45->136 dropped 138 C:\Users\user\AppData\...\2311326414.exe, PE32 45->138 dropped 140 2 other malicious files 45->140 dropped 246 Multi AV Scanner detection for dropped file 45->246 248 Found evasive API chain (may stop execution after checking mutex) 45->248 250 Contains functionality to check if Internet connection is working 45->250 252 4 other signatures 45->252 50 446629599.exe 45->50         started        54 1332331323.exe 45->54         started        57 158238779.exe 2 45->57         started        59 4 other processes 45->59 file16 signatures17 process18 dnsIp19 122 C:\Users\user\sysppvrdnvs.exe, PE32 50->122 dropped 214 Antivirus detection for dropped file 50->214 216 Multi AV Scanner detection for dropped file 50->216 218 Machine Learning detection for dropped file 50->218 220 Drops PE files to the user root directory 50->220 61 sysppvrdnvs.exe 50->61         started        164 185.215.113.84, 49982, 80 WHOLESALECONNECTIONSNL Portugal 54->164 124 C:\Users\user\AppData\...\2448028260.exe, PE32+ 54->124 dropped 126 C:\Users\user\AppData\Local\...\nxmr[1].exe, PE32+ 54->126 dropped 222 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->222 66 2448028260.exe 54->66         started        68 cmd.exe 57->68         started        70 cmd.exe 57->70         started        224 Adds a directory exclusion to Windows Defender 59->224 226 Stops critical windows services 59->226 72 powershell.exe 23 59->72         started        74 conhost.exe 59->74         started        76 conhost.exe 59->76         started        78 5 other processes 59->78 file20 signatures21 process22 dnsIp23 172 185.71.152.222, 40500, 50001 TCIIR Iran (ISLAMIC Republic Of) 61->172 174 217.24.149.46, 40500 TCIIR Iran (ISLAMIC Republic Of) 61->174 176 13 other IPs or domains 61->176 142 C:\Users\user\AppData\Local\...\65841553.exe, PE32 61->142 dropped 144 C:\Users\user\AppData\Local\...\236013504.exe, PE32 61->144 dropped 146 C:\Users\user\AppData\Local\...\193938922.exe, PE32+ 61->146 dropped 148 C:\Users\user\AppData\...\1378231302.exe, PE32 61->148 dropped 254 Multi AV Scanner detection for dropped file 61->254 256 Adds a directory exclusion to Windows Defender 61->256 258 Hides that the sample has been downloaded from the Internet (zone.identifier) 61->258 80 193938922.exe 61->80         started        83 65841553.exe 61->83         started        85 cmd.exe 61->85         started        95 2 other processes 61->95 150 C:\Users\user\...\winupsecvmgr.exe, PE32+ 66->150 dropped 260 Antivirus detection for dropped file 66->260 262 Suspicious powershell command line found 66->262 264 Machine Learning detection for dropped file 66->264 266 Found direct / indirect Syscall (likely to bypass EDR) 66->266 268 Uses cmd line tools excessively to alter registry or file data 68->268 270 Uses schtasks.exe or at.exe to add and modify task schedules 68->270 87 conhost.exe 68->87         started        89 reg.exe 68->89         started        91 conhost.exe 70->91         started        93 schtasks.exe 70->93         started        272 Loading BitLocker PowerShell Module 72->272 file24 signatures25 process26 signatures27 194 Multi AV Scanner detection for dropped file 80->194 196 Machine Learning detection for dropped file 80->196 97 cmd.exe 80->97         started        100 cmd.exe 80->100         started        198 Antivirus detection for dropped file 83->198 200 Adds a directory exclusion to Windows Defender 85->200 102 powershell.exe 85->102         started        104 conhost.exe 85->104         started        106 conhost.exe 95->106         started        108 sc.exe 95->108         started        110 sc.exe 95->110         started        112 3 other processes 95->112 process28 signatures29 202 Uses cmd line tools excessively to alter registry or file data 97->202 114 conhost.exe 97->114         started        116 reg.exe 97->116         started        118 conhost.exe 100->118         started        120 schtasks.exe 100->120         started        204 Loading BitLocker PowerShell Module 102->204 process30
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7/
Threat name:
Win64.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2024-10-23 22:37:06 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zhch2rlx5gaxgnnxdp7xlad3r7j6qkuzdp3uenrlrtrcam2f33q._file
Verdict:
malicious
Label(s):
phorpiex
Create hunting rule
phorpiex_tldr
Create hunting rule
phorpiex_netbios_worm_module
Create hunting rule
Similar samples:
28068cedfc7c3e3516e39f91ae285ff6f5d26170be34cd69e70fe3f575e203bf
Phorpiex
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
Phorpiex
4bf40544a1ffc64b6b26b5f24d8f624b7260cc40b34566b3463cae817bf7b612
Phorpiex
6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772
Phorpiex
8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a
Phorpiex
error
Phorpiex
+ 63 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex family:xmrig discovery evasion execution loader miner persistence trojan worm
Link:
https://tria.ge/reports/241026-f4ae2azhld/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stops running service(s)
XMRig Miner payload
Modifies security service
Phorphiex family
Phorphiex payload
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Xmrig family
xmrig
Malware Config
C2 Extraction:
http://185.215.113.66/
http://91.202.233.141/
http://185.215.113.84
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae4e7327-ad7e-430d-be32-2d8c730a1cac
Unpacked files
SH256 hash:
ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
MD5 hash:
cd3237b1e648d31b8761196b6c64da8a
SHA1 hash:
2e677b7cafc3a8ee1696dddf38b176191d256559
Link:
https://www.unpac.me/results/845378a3-c274-42de-a539-9cb88a00bec0/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee4e23ea2bbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::RemoveDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW

Comments