MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
SHA3-384 hash: e7fde4090f1d2141d3a48dcb24c9830542b0865ea4a76c2268e7ae39fd167c95c0e742cd2464ae9e313d01bba6d1cc44
SHA1 hash: d1d93023f1085eed136c6d225d998abf2d5a5bf0
MD5 hash: 08dafe3bb2654c06ead4bb33fb793df8
humanhash: cat-fruit-mississippi-queen
File name:SecuriteInfo.com.PUA.Tool.BtcMine.2745.8568.10790
Download: download sample
Signature Phorpiex
Create hunting rule
File size:10'240 bytes
First seen:2025-02-04 00:53:49 UTC
Last seen:2025-02-04 01:19:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e533aae210c56979a3c68ed53699fc23 (1 x Phorpiex)
ssdeep 96:zMG7Mp1ySr4P6M/r52Od0NDiIp+BYU81fPVdjPbuJxGEOaRh2qh3C7tCEF1K:ACMp/ViVQtp+OJcJxTOchthcFw
TLSH T11922280ABECA40B1E3E14CF057F58B4A8ABE50632B86B1CBF773C5594F60350C4566E6
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
2
# of downloads :
555
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
4363463463464363463463463.zip
Verdict:
Malicious activity
Analysis date:
2025-01-21 22:23:01 UTC
Tags:
arch-exec xred backdoor loader github delphi stealc stealer quasar rat auto asyncrat quasarrat evasion redline generic blankgrabber hausbomber dcrat dyndns nanocore phorpiex botnet njrat lumma opendir whitesnakestealer bladabindi miner meterpreter cryptbot pandastealer remote payload metasploit pythonstealer amadey
Link:
https://app.any.run/tasks/eb6ad046-4007-4a77-a53e-3610fd34a6a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.2745.8568.10790.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a165fd2dcee78dd8194698
Tags:
phorpiex mint spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Changing an executable file
Creating a window
DNS request
Connection attempt
Sending a UDP request
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Infecting executable files
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto explorer fingerprint lolbin microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/67a1652e32695d900162a9fb/reports/e70754c7-7588-4fa6-8117-02ef0479ea39/overview
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/855ef8bf-e478-44ad-8bfa-9dd6316d1dd1
Result
Threat name:
Phorpiex, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1606144
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Uses cmd line tools excessively to alter registry or file data
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1606144 Sample: SecuriteInfo.com.PUA.Tool.B... Startdate: 04/02/2025 Architecture: WINDOWS Score: 100 107 twizt.net 2->107 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 12 other signatures 2->125 12 SecuriteInfo.com.PUA.Tool.BtcMine.2745.8568.10790.exe 16 2->12         started        17 winmngrsa.exe 2->17         started        19 sysnldcvmr.exe 2->19         started        signatures3 process4 dnsIp5 109 twizt.net 185.215.113.66, 49731, 49732, 49734 WHOLESALECONNECTIONSNL Portugal 12->109 99 C:\Users\user\AppData\...\2529410865.exe, PE32 12->99 dropped 101 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 12->101 dropped 155 Antivirus detection for dropped file 12->155 157 Multi AV Scanner detection for dropped file 12->157 159 Machine Learning detection for dropped file 12->159 161 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->161 21 2529410865.exe 1 1 12->21         started        103 C:\Windows\Temp\yoygdjmdclhw.sys, PE32+ 17->103 dropped 163 Modifies the context of a thread in another process (thread injection) 17->163 165 Sample is not signed and drops a device driver 17->165 25 dwm.exe 17->25         started        27 conhost.exe 17->27         started        file6 167 Detected Stratum mining protocol 109->167 signatures7 process8 file9 87 C:\Windows\sysnldcvmr.exe, PE32 21->87 dropped 135 Antivirus detection for dropped file 21->135 137 Multi AV Scanner detection for dropped file 21->137 139 Found evasive API chain (may stop execution after checking mutex) 21->139 145 5 other signatures 21->145 29 sysnldcvmr.exe 19 21->29         started        141 Query firmware table information (likely to detect VMs) 25->141 143 Found strings related to Crypto-Mining 25->143 signatures10 process11 dnsIp12 111 2.187.82.204, 40500 TCIIR Iran (ISLAMIC Republic Of) 29->111 113 5.232.120.72, 40500 TCIIR Iran (ISLAMIC Republic Of) 29->113 115 35 other IPs or domains 29->115 105 C:\Users\user\AppData\Local\...\480615457.exe, PE32 29->105 dropped 169 Antivirus detection for dropped file 29->169 171 Multi AV Scanner detection for dropped file 29->171 173 Found evasive API chain (may stop execution after checking mutex) 29->173 175 4 other signatures 29->175 34 480615457.exe 23 29->34         started        file13 signatures14 process15 file16 79 C:\Users\user\AppData\Local\...\85694128.exe, PE32+ 34->79 dropped 81 C:\Users\user\AppData\Local\...\805527527.exe, PE32 34->81 dropped 83 C:\Users\user\AppData\...\3115833252.exe, PE32 34->83 dropped 85 7 other malicious files 34->85 dropped 127 Antivirus detection for dropped file 34->127 129 Multi AV Scanner detection for dropped file 34->129 131 Machine Learning detection for dropped file 34->131 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->133 38 805527527.exe 1 34->38         started        42 1845612558.exe 34->42         started        44 85694128.exe 34->44         started        46 2 other processes 34->46 signatures17 process18 file19 89 SecuriteInfo.com.P...2745.8568.10790.exe, PE32 38->89 dropped 91 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 38->91 dropped 93 C:\ProgramData\...\VC_redist.x64.exe, PE32 38->93 dropped 95 C:\ProgramData\Microsoft\...\integrator.exe, PE32 38->95 dropped 147 Multi AV Scanner detection for dropped file 38->147 149 Found evasive API chain (may stop execution after checking mutex) 38->149 151 Antivirus detection for dropped file 42->151 153 Machine Learning detection for dropped file 42->153 48 cmd.exe 42->48         started        51 cmd.exe 44->51         started        97 C:\ProgramData\WinMngr\winmngrsa.exe, PE32+ 46->97 dropped 53 sc.exe 46->53         started        55 sc.exe 46->55         started        57 sc.exe 46->57         started        59 sc.exe 46->59         started        signatures20 process21 signatures22 117 Uses cmd line tools excessively to alter registry or file data 48->117 61 conhost.exe 48->61         started        63 sc.exe 48->63         started        65 reg.exe 48->65         started        67 conhost.exe 51->67         started        77 2 other processes 51->77 69 conhost.exe 53->69         started        71 conhost.exe 55->71         started        73 conhost.exe 57->73         started        75 conhost.exe 59->75         started        process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2024-11-24 18:17:53 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qlmbpyjaawjg4r3rkytlfo3lbc2kcq3nijten5mfukiwc5uc4aa._file
Verdict:
malicious
Label(s):
knotransomware
Create hunting rule
phorpiex
Create hunting rule
Similar samples:
error
Phorpiex
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250204-a9aebs1ldn/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
win32_phorpiex
YARA:
n/a
Link:
https://app.threat.zone/submission/29570cdd-69db-42ae-956b-62977d8f0379
Unpacked files
SH256 hash:
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
MD5 hash:
08dafe3bb2654c06ead4bb33fb793df8
SHA1 hash:
d1d93023f1085eed136c6d225d998abf2d5a5bf0
Link:
https://www.unpac.me/results/ed33e7d4-e281-475d-a3e1-8cb86b770b53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3045159/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3068569/
  
URLhaus
https://urlhaus.abuse.ch/url/3068538/
  
URLhaus
https://urlhaus.abuse.ch/url/1960874/
  
URLhaus
https://urlhaus.abuse.ch/url/3045169/
  
URLhaus
https://urlhaus.abuse.ch/url/3274249/
  
URLhaus
https://urlhaus.abuse.ch/url/3274246/
  
URLhaus
https://urlhaus.abuse.ch/url/2517803/
  
URLhaus
https://urlhaus.abuse.ch/url/3045161/
  
URLhaus
https://urlhaus.abuse.ch/url/3045162/
  
URLhaus
https://urlhaus.abuse.ch/url/3274252/
  
URLhaus
https://urlhaus.abuse.ch/url/3045156/
  
URLhaus
https://urlhaus.abuse.ch/url/3045177/
  
URLhaus
https://urlhaus.abuse.ch/url/3045204/
  
URLhaus
https://urlhaus.abuse.ch/url/3274325/
  
URLhaus
https://urlhaus.abuse.ch/url/3068668/
  
URLhaus
https://urlhaus.abuse.ch/url/3068736/
  
URLhaus
https://urlhaus.abuse.ch/url/3045192/
  
URLhaus
https://urlhaus.abuse.ch/url/3068667/
  
URLhaus
https://urlhaus.abuse.ch/url/3069729/
  
URLhaus
https://urlhaus.abuse.ch/url/2824981/
  
URLhaus
https://urlhaus.abuse.ch/url/3045165/
  
URLhaus
https://urlhaus.abuse.ch/url/3068792/
  
URLhaus
https://urlhaus.abuse.ch/url/3045157/
  
URLhaus
https://urlhaus.abuse.ch/url/3045145/
  
URLhaus
https://urlhaus.abuse.ch/url/2530828/
  
URLhaus
https://urlhaus.abuse.ch/url/3068820/
  
URLhaus
https://urlhaus.abuse.ch/url/3045146/
  
URLhaus
https://urlhaus.abuse.ch/url/3274351/
  
URLhaus
https://urlhaus.abuse.ch/url/3045144/
  
URLhaus
https://urlhaus.abuse.ch/url/3045176/
  
URLhaus
https://urlhaus.abuse.ch/url/3045191/
  
URLhaus
https://urlhaus.abuse.ch/url/3069082/
  
URLhaus
https://urlhaus.abuse.ch/url/3274346/
  
URLhaus
https://urlhaus.abuse.ch/url/3069334/
  
URLhaus
https://urlhaus.abuse.ch/url/3045175/
  
URLhaus
https://urlhaus.abuse.ch/url/3068727/
  
URLhaus
https://urlhaus.abuse.ch/url/3068699/
  
URLhaus
https://urlhaus.abuse.ch/url/3274348/
  
URLhaus
https://urlhaus.abuse.ch/url/3045172/
  
URLhaus
https://urlhaus.abuse.ch/url/3069502/
  
URLhaus
https://urlhaus.abuse.ch/url/3045168/
  
URLhaus
https://urlhaus.abuse.ch/url/3045194/
  
URLhaus
https://urlhaus.abuse.ch/url/3045197/
  
URLhaus
https://urlhaus.abuse.ch/url/3045186/
  
URLhaus
https://urlhaus.abuse.ch/url/3274271/
  
URLhaus
https://urlhaus.abuse.ch/url/2274787/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW

Comments