MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phorpiex

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8
SHA3-384 hash:	2373689b9fcc3b5008f59c8144dd4c48a101895b68d3dae32cf4d2056f9dc9c7716c90c88d92353e1eff5a1460fee995
SHA1 hash:	128b1abb7e42b5f7b20fe947b0711ae92f13a2e3
MD5 hash:	04277f82a0458b2a1faf76102fbeb254
humanhash:	delta-beryllium-single-juliet
File name:	04277f82a0458b2a1faf76102fbeb254.exe
Download:	download sample
Signature	Phorpiex Create hunting rule
File size:	20'480 bytes
First seen:	2024-12-26 11:44:27 UTC
Last seen:	2025-02-02 19:43:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	14927c59260882ecd7d3211753d56621 (2 x Phorpiex)
ssdeep	384:iv0WLc01PT5cgafkrVUAd/ibYTJ4JVB00gMSSRJh:y5PTvaiVUdYAvgw
Threatray	42 similar samples on MalwareBazaar
TLSH	T13F922A06A95A535BE972187093B32D25603E7E76631D84CFFF80093916A4EE4FB3334A
TrID	32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 20.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Phorpiex

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

04277f82a0458b2a1faf76102fbeb254.exe

Verdict:

No threats detected

Analysis date:

2024-12-26 12:08:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d7d7104b-acd5-4ff5-8342-da4fc9fb116b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Ransom.GandCrab.2664.8902.11703.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=676d41c78a4d48ee35ffaa27

Tags:

shellcode gandcrab dropper trojan

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Changing an executable file

Infecting executable files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm explorer lolbin microsoft_visual_cc

Link:

https://www.filescan.io/uploads/676d41c3d986a2005f8ca9a0/reports/1db6e0ae-3db8-411f-8bf4-780d364b046d/overview

Verdict:

Malicious

Labled as:

Ransom.GandCrab.Generic

Link:

https://www.hybrid-analysis.com/sample/f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a3deb6a9-1fbc-4891-b70d-dc2ea0a7cd58

Result

Threat name:

Phorpiex

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1580884

Signature

AI detected suspicious sample

Antivirus detection for dropped file

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Phorpiex

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8

Detection:

phorpiex

Link:

https://mwdb.cert.pl/sample/f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8/

Threat name:

Win32.Worm.Phorpiex

Status:

Malicious

First seen:

2024-12-26 01:06:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6zowfc5dsvztkmakfvugnc5if6fpempbapxjsgsxoxhvbncvtcua._file

Verdict:

malicious

Label(s):

phorpiex

Phorpiex

757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d

Phorpiex

9d512e372cbc60a9d7ff6c44f21403dd82782f1f975444333d4870b54f23d9e7

Phorpiex

e035a6e7acc559553c782539b20bc32fc767c385319902d963a395ae7a9c3934

Phorpiex

error

Phorpiex

f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8

Phorpiex

+ 32 additional samples on MalwareBazaar

Result

Malware family:

phorphiex

Score:

10/10

Tags:

family:phorphiex discovery spyware stealer

Link:

https://tria.ge/reports/241226-nwrcksvmdj/

Behaviour

System Location Discovery: System Language Discovery

Reads user/profile data of web browsers

Malware Config

C2 Extraction:

185.215.113.66

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/18d38b27-a9ef-40d3-a1a2-5d4b78b3e9d2

Unpacked files

SH256 hash:

f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8

MD5 hash:

04277f82a0458b2a1faf76102fbeb254

SHA1 hash:

128b1abb7e42b5f7b20fe947b0711ae92f13a2e3

Link:

https://www.unpac.me/results/7f3923d4-00ad-4b56-b9b9-6a67e853078d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

exe f65d628ba3957335300a2d68668ba82f8af231e103ee991a5775cf50b45598a8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3068640/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2274783/

URLhaus

https://urlhaus.abuse.ch/url/3068747/

URLhaus

https://urlhaus.abuse.ch/url/3068730/

URLhaus

https://urlhaus.abuse.ch/url/3068719/

URLhaus

https://urlhaus.abuse.ch/url/3068658/

URLhaus

https://urlhaus.abuse.ch/url/1961882/

URLhaus

https://urlhaus.abuse.ch/url/3068772/

URLhaus

https://urlhaus.abuse.ch/url/3069717/

URLhaus

https://urlhaus.abuse.ch/url/3274262/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingA KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::QueryDosDeviceW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample