MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2
SHA3-384 hash: f824c02874761132da36179a9c1226682154f56524d618fdb74448e04dce2b86530df09ba2ba5bbdc5e780c0cafdde4d
SHA1 hash: 441cb819e9ef15ece841b8776c1e6eec1e68ec95
MD5 hash: dffa738e21daf5b195cda9a173d885fc
humanhash: arizona-twenty-ohio-oxygen
File name:file
Download: download sample
Signature Phorpiex
Create hunting rule
File size:7'168 bytes
First seen:2023-03-01 17:43:27 UTC
Last seen:2024-01-13 01:18:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d65758d31215fa0cf1abf175e24d35cd (3 x Phorpiex)
ssdeep 96:S5bbVm8uw0GSYUKRYHQb+cM8b4PtboynuYUL8PCtbOoX:4fVm8yP0b48sP1oynfUL8ebJ
Threatray 263 similar samples on MalwareBazaar
TLSH T17BE1A80F6B5402E3E750C67552B79A49E6EE612323247ECFD5F789099D0B312B8433AD
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
5
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-01 17:48:53 UTC
Tags:
loader
Link:
https://app.any.run/tasks/dc9fefb5-cbc6-4f2a-8f48-f0e365d4d671

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370847/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.15599.27655.17724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63ff8ee7bbedb8176ff20452/reports/216ceb5d-86fe-4bfd-b769-60c57ce34f85/overview
Verdict:
Malicious
Labled as:
Trojan.Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f28ed04b-9548-4b9a-9c6f-29bb618a2438
Result
Threat name:
Phorpiex, RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185069
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Phorpiex
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817925 Sample: file.exe Startdate: 01/03/2023 Architecture: WINDOWS Score: 100 106 Snort IDS alert for network traffic 2->106 108 Antivirus detection for URL or domain 2->108 110 Antivirus detection for dropped file 2->110 112 13 other signatures 2->112 10 file.exe 18 2->10         started        15 winsvrupd.exe 2->15         started        17 powershell.exe 36 2->17         started        19 6 other processes 2->19 process3 dnsIp4 104 185.215.113.84, 49698, 49717, 49754 WHOLESALECONNECTIONSNL Portugal 10->104 86 C:\Users\user\AppData\...\1779121499.exe, PE32 10->86 dropped 88 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 10->88 dropped 170 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->170 21 1779121499.exe 1 1 10->21         started        90 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 15->90 dropped 92 C:\Users\user\AppData\Local\...\mpnsrsgv.tmp, PE32+ 15->92 dropped 172 Sample is not signed and drops a device driver 15->172 174 Uses schtasks.exe or at.exe to add and modify task schedules 17->174 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 schtasks.exe 19->29         started        31 conhost.exe 19->31         started        33 2 other processes 19->33 file5 176 Detected Stratum mining protocol 104->176 signatures6 process7 file8 78 C:\Windows\sysmsrvcx.exe, PE32 21->78 dropped 132 Antivirus detection for dropped file 21->132 134 Multi AV Scanner detection for dropped file 21->134 136 Found evasive API chain (may stop execution after checking mutex) 21->136 138 5 other signatures 21->138 35 sysmsrvcx.exe 7 26 21->35         started        signatures9 process10 dnsIp11 98 154.65.207.32, 40500 movicel-asAO Angola 35->98 100 109.75.61.52, 40500 SOMONCOM-ASTJ Tajikistan 35->100 102 16 other IPs or domains 35->102 70 C:\Users\user\AppData\Local\...\975628133.exe, PE32 35->70 dropped 72 C:\Users\user\AppData\...\2930918296.exe, PE32 35->72 dropped 74 C:\Users\user\AppData\...\1792015663.exe, PE32 35->74 dropped 76 C:\Users\user\AppData\...\1390122306.exe, PE32 35->76 dropped 124 Antivirus detection for dropped file 35->124 126 Multi AV Scanner detection for dropped file 35->126 128 Found evasive API chain (may stop execution after checking mutex) 35->128 130 5 other signatures 35->130 40 2930918296.exe 35->40         started        44 1792015663.exe 35->44         started        46 975628133.exe 16 35->46         started        48 1390122306.exe 35->48         started        file12 signatures13 process14 file15 80 C:\Users\user\sysmsrvcx.exe, PE32 40->80 dropped 140 Antivirus detection for dropped file 40->140 142 Multi AV Scanner detection for dropped file 40->142 144 Machine Learning detection for dropped file 40->144 146 Drops PE files to the user root directory 40->146 50 sysmsrvcx.exe 40->50         started        148 Query firmware table information (likely to detect VMs) 44->148 150 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 44->150 152 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 44->152 162 5 other signatures 44->162 55 dllhost.exe 44->55         started        82 C:\Users\user\AppData\...\2905627705.exe, PE32+ 46->82 dropped 84 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32+ 46->84 dropped 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->154 57 2905627705.exe 3 46->57         started        156 Found evasive API chain (may stop execution after checking mutex) 48->156 158 Contains functionality to check if Internet connection is working 48->158 160 Contains functionality to detect sleep reduction / modifications 48->160 signatures16 process17 dnsIp18 94 5.235.181.238, 40500 TCIIR Iran (ISLAMIC Republic Of) 50->94 96 5.235.233.254, 40500, 49753 TCIIR Iran (ISLAMIC Republic Of) 50->96 62 C:\Users\user\AppData\Local\...\97277888.exe, PE32 50->62 dropped 64 C:\Users\user\AppData\Local\...\608516980.exe, PE32 50->64 dropped 66 C:\Users\user\AppData\Local\...\323227296.exe, PE32 50->66 dropped 114 Antivirus detection for dropped file 50->114 116 Multi AV Scanner detection for dropped file 50->116 118 Machine Learning detection for dropped file 50->118 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->120 59 323227296.exe 50->59         started        122 Tries to harvest and steal browser information (history, passwords, etc) 55->122 68 C:\Users\user\...\winsvrupd.exe, PE32+ 57->68 dropped file19 signatures20 process21 signatures22 164 Antivirus detection for dropped file 59->164 166 Multi AV Scanner detection for dropped file 59->166 168 Machine Learning detection for dropped file 59->168
Detection:
phorpiex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-01 17:44:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7r7uumvnlwjzajhzihae6er63rhe4uous5brhyabcmfc4rtbdgra._file
Verdict:
malicious
Similar samples:
01a3465e5e0f616d60778d071f5c2357ff3064ff6c08086057556e47e6611e82
Phorpiex
09a3a72ed78683c5fbe62e66c33ba7d5dc8b77ca5f52965364e8d41d5622c29d
Phorpiex
48214f32e63f85fe88aff17257a746862d7530bce20b2dfc7a7b942743374a31
Phorpiex
4b56d0b0c8c52803bf7c21587bd98a16f73f0d6ed4e4153eee1964533ac394ee
Phorpiex
5c8d519b601447d102fc9b2f83b894bf15939506a3ad8aa53fa535de36121ce7
Phorpiex
68dd15c384e6d7b3fc6afeda9a17df9ffa55ed29861e9249751488b03abac2fc
Phorpiex
78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef
Phorpiex
8377023d1c79ff357599359d7d252ec086c53061d6064690791d7ac2679a94dd
Phorpiex
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
Phorpiex
e249064e0227b91181a4cc52d2af88b56d10a01cafea2a4962dca3155f0a37d2
Phorpiex
+ 253 additional samples on MalwareBazaar
Result
Malware family:
phorphiex
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex loader persistence trojan worm
Link:
https://tria.ge/reports/230301-wa5l3sgh3y/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Phorphiex
Malware Config
C2 Extraction:
http://185.215.113.66/
Unpacked files
SH256 hash:
fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2
MD5 hash:
dffa738e21daf5b195cda9a173d885fc
SHA1 hash:
441cb819e9ef15ece841b8776c1e6eec1e68ec95
Link:
https://www.unpac.me/results/19306948-c991-4450-b788-0bd31926f3ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc7f4a32ad5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2274783/
  
URLhaus
https://urlhaus.abuse.ch/url/2272063/
  
URLhaus
https://urlhaus.abuse.ch/url/2517803/
  
URLhaus
https://urlhaus.abuse.ch/url/2530828/
  
URLhaus
https://urlhaus.abuse.ch/url/1961882/
Cape
Cape
https://www.capesandbox.com/analysis/370847/

Comments