MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c
SHA3-384 hash: c563cbed9bdbf9c02bdb0f14c1dd518984d0a462aa066e88170c05423361d3dac7489dcb52f54e095b8fc3120cdfcbf4
SHA1 hash: d5886070d235d08ab19de5ecfe4d4c180c2ef6e2
MD5 hash: 50c73701c44e31354019c2644e4be1b8
humanhash: mango-idaho-angel-avocado
File name:file
Download: download sample
Signature Phorpiex
Create hunting rule
File size:113'664 bytes
First seen:2026-06-10 13:11:42 UTC
Last seen:2026-06-10 13:59:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c6cbbdd643acf2dc6daa2bfb97e98d80 (18 x Phorpiex)
ssdeep 1536:MvQFS6jum8d78qt2xjmEGur+GLpmc8K/THUBZT/3d5Fb26E8Jr:wQFSAumAg3GuqGLQc0XT/3d5Fbuo
Threatray 42 similar samples on MalwareBazaar
TLSH T19DB38D1030C1C432E567217588BAC7B58A6DFC710F756ADBBFC406AE4F266D29A36387
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-phorpiex exe Phorpiex


Avatar
Bitsight
url: http://178.16.54.109/3

Intelligence

File Origin
# of uploads :
35
# of downloads :
145
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c.exe
Verdict:
Malicious activity
Analysis date:
2026-06-10 13:19:38 UTC
Tags:
ip-check evasion
Link:
https://app.any.run/tasks/767aac45-cdbe-4807-827a-1fbb39e05f65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70515/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a296296a15110463ee47d76
Tags:
phorpiex agentb
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
DNS request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c/results?tab=lookup
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b44181a-0ca6-4fc1-b3df-ae3af279572a
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c/
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2026-06-10 13:13:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bebejpcaozf5einn7v5loj7fiyaho7a25l2isnzx5zvc4sdizoa._file
Verdict:
malicious
Label(s):
phorpiex
Create hunting rule
Similar samples:
0371fbbff34ec41ee9ae007482edbcb75f1749661b863da3a2ffe86638cd62a3
Phorpiex
3006d572f747097bc02341c50ddcdad972d8539509fbf085b5024c6c04cb67e3
Phorpiex
638bee1130007af009e628efbd6aed9b7b0c88c9184513e1928cf7e0eba215e0
Phorpiex
9570038453a8b3caa9e7a0af56ef77cee9cfb314c357e62f4350fb99f6afc51f
Phorpiex
a1e6596aebf29245f949787234fa4258a2978cdf86275224af0700899f4b6704
Phorpiex
e50d0e5abf23d4cdb1021c0db51572a785150f0a797fbe57b203b54c26c086e1
Phorpiex
error
Phorpiex
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/260610-qfby3aay71/
Behaviour
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Unpacked files
SH256 hash:
f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c
MD5 hash:
50c73701c44e31354019c2644e4be1b8
SHA1 hash:
d5886070d235d08ab19de5ecfe4d4c180c2ef6e2
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/569d5ee1-cd1e-4c85-8a2f-b4cac05d2cbe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe f0481225e203b25e910d6febd5b93f2a3003bbe0d757a449b9bf73517243465c

(this sample)

  
Dropped by
Phorpiex
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/70515/

Comments