MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c
SHA3-384 hash: 2275271d6566c2a83c898728d5ae3c255491af4980fdc02c6bf17d765b8c39cd357e16d33059c92c61609ca7cf1c17c2
SHA1 hash: 880af0125f57e6f06e45bd618a118279c91333c4
MD5 hash: 0db1ba9cccb1979cd66f0c8f2e945f36
humanhash: mars-robin-finch-beryllium
File name:f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c
Download: download sample
Signature Phorpiex
Create hunting rule
File size:547'744 bytes
First seen:2023-02-06 12:49:12 UTC
Last seen:2023-02-06 14:48:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e2588a9cf43886de3449dfff03137b6 (2 x Phorpiex, 2 x ACRStealer)
ssdeep 6144:lAqvMo118G8LDNrlwPdDmRekgpNGfSzHB25w3jkYtGhLYuOVQhh3A94Uw1CClytm:lAqkoCtQO4Nai3jk/P3hK3on0GZVPB
Threatray 57 similar samples on MalwareBazaar
TLSH T14DC48D31A6A04037D6F106B3FD14D2307E7DA2187B1184ABD294AE2D3EA85D7A7F7217
TrID 74.9% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.0% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter adrian__luca
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c
Verdict:
Malicious activity
Analysis date:
2023-02-06 12:48:22 UTC
Tags:
loader trojan phorpiex
Link:
https://app.any.run/tasks/d8a473c7-8c6e-449b-a181-83ec87232647

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360849/
Detection(s):
SecuriteInfo.com.Variant.Zusy.420086.32139.29256.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a UDP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65757/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll virus zusy
Link:
https://www.filescan.io/uploads/63e0f77c89bd67c10fdcc4e2/reports/05919caa-6787-4d7d-9261-f21ebf72bf96/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2ea6040-a48a-46b1-92f6-766cc6c12490
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166616
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799772 Sample: H6uKtOX196.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic 2->93 95 Antivirus detection for URL or domain 2->95 97 Antivirus detection for dropped file 2->97 99 9 other signatures 2->99 10 H6uKtOX196.exe 18 2->10         started        15 winsvrupd.exe 2->15         started        17 powershell.exe 34 2->17         started        19 13 other processes 2->19 process3 dnsIp4 85 185.215.113.66, 49699, 49700, 49703 WHOLESALECONNECTIONSNL Portugal 10->85 71 C:\Users\user\AppData\Local\Temp\176B.exe, PE32 10->71 dropped 73 C:\Users\user\AppData\Local\...\npp[1].exe, PE32 10->73 dropped 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->133 21 176B.exe 18 10->21         started        75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 15->75 dropped 77 C:\Users\user\AppData\Local\...\mpnsrsgv.tmp, PE32+ 15->77 dropped 135 Writes to foreign memory regions 15->135 137 Modifies the context of a thread in another process (thread injection) 15->137 139 Maps a DLL or memory area into another process 15->139 141 Sample is not signed and drops a device driver 15->141 26 cmd.exe 15->26         started        143 Uses schtasks.exe or at.exe to add and modify task schedules 17->143 28 conhost.exe 17->28         started        145 Query firmware table information (likely to detect VMs) 19->145 30 MpCmdRun.exe 19->30         started        32 conhost.exe 19->32         started        34 schtasks.exe 19->34         started        36 3 other processes 19->36 file5 signatures6 process7 dnsIp8 83 185.215.113.84, 49701, 49706, 49718 WHOLESALECONNECTIONSNL Portugal 21->83 63 C:\Users\user\AppData\Local\...\189796239.exe, PE32 21->63 dropped 65 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 21->65 dropped 109 Antivirus detection for dropped file 21->109 111 Multi AV Scanner detection for dropped file 21->111 113 Machine Learning detection for dropped file 21->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->115 38 189796239.exe 1 1 21->38         started        117 Query firmware table information (likely to detect VMs) 26->117 42 conhost.exe 30->42         started        file9 119 Detected Stratum mining protocol 83->119 signatures10 process11 file12 67 C:\Windows\sysagrsv.exe, PE32 38->67 dropped 121 Antivirus detection for dropped file 38->121 123 Multi AV Scanner detection for dropped file 38->123 125 Found evasive API chain (may stop execution after checking mutex) 38->125 127 5 other signatures 38->127 44 sysagrsv.exe 7 20 38->44         started        signatures13 process14 dnsIp15 87 77.93.33.36, 40500 UA-SEECHZaporozhyeLeninaav170bUA Ukraine 44->87 89 197.148.1.108, 40500 TVCaboAngolaAO Angola 44->89 91 24 other IPs or domains 44->91 79 C:\Users\user\AppData\Local\...\63706198.exe, PE32 44->79 dropped 81 C:\Users\user\AppData\...\1625714628.exe, PE32 44->81 dropped 147 Antivirus detection for dropped file 44->147 149 Multi AV Scanner detection for dropped file 44->149 151 Found evasive API chain (may stop execution after checking mutex) 44->151 153 5 other signatures 44->153 49 1625714628.exe 15 44->49         started        53 63706198.exe 44->53         started        file16 signatures17 process18 file19 59 C:\Users\user\AppData\...\1056028517.exe, PE32+ 49->59 dropped 61 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32+ 49->61 dropped 101 Antivirus detection for dropped file 49->101 103 Multi AV Scanner detection for dropped file 49->103 105 Machine Learning detection for dropped file 49->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->107 55 1056028517.exe 3 49->55         started        signatures20 process21 file22 69 C:\Users\user\...\winsvrupd.exe, PE32+ 55->69 dropped 129 Antivirus detection for dropped file 55->129 131 Multi AV Scanner detection for dropped file 55->131 signatures23
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 15:05:27 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jelp7skpigexqufcmora3ds7r6lbanh54wf2mlpynjvhmq2buoa._file
Verdict:
malicious
Similar samples:
0c36cf74963333c9fec0b0501043eb38761b76b76946539f374c1c320a7a5dc9
Phorpiex
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
Phorpiex
48214f32e63f85fe88aff17257a746862d7530bce20b2dfc7a7b942743374a31
Phorpiex
5c8d519b601447d102fc9b2f83b894bf15939506a3ad8aa53fa535de36121ce7
Phorpiex
764621435395609860a78ef6d107832fb9bb7f41f02c0bf11a180d9309c008aa
Phorpiex
78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef
Phorpiex
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
Phorpiex
959ed7f57b49523114b54616f2f5bdb40c78cd1fcf8f506d3bc3721e833cee03
Phorpiex
cb541b99627ce8472599a1145595037b9314cb616d2d5c54e5cf139074237034
Phorpiex
e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
Phorpiex
+ 47 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex evasion loader persistence trojan worm
Link:
https://tria.ge/reports/230206-p2xxzsdh63/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Phorphiex
Windows security bypass
Malware Config
C2 Extraction:
http://185.215.113.66/
Unpacked files
SH256 hash:
f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c
MD5 hash:
0db1ba9cccb1979cd66f0c8f2e945f36
SHA1 hash:
880af0125f57e6f06e45bd618a118279c91333c4
Link:
https://www.unpac.me/results/31d3a81e-00f6-4057-b0ed-534912e8aec7/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f248b7fe4a7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360849/

Comments