MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1
SHA3-384 hash: bb6900f72eccd077ff49831d3d3bbee915b6c104a84aa7dc74ed9e01180e101d86c88fcac8610319318c33c5415a1164
SHA1 hash: 41c27cfc57fb605d62accbb184875f57e49cc235
MD5 hash: 465c8cac1040a56b514c0998b998550a
humanhash: zebra-july-helium-kitten
File name:465c8cac1040a56b514c0998b998550a.exe
Download: download sample
Signature Phorpiex
Create hunting rule
File size:427'156 bytes
First seen:2020-11-29 07:21:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 6144:bC0bbXMgOOV113sb97nGncSLTVs43prndGlWPDENNwEhh2BJCTrxq1oNXH5HgPK4:bCnfh7i5xG4MELPJZr
Threatray 14 similar samples on MalwareBazaar
TLSH 9794B64232437937DAA17AB73112D5B010696E51ACFDB39C26E18EEF3799BB00C48776
Reporter abuse_ch
Tags:exe Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105964/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending an HTTP GET request
Creating a file
Enabling the 'hidden' option for recently created files
Searching for the window
Searching for many windows
Deleting a recently created file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Phorpiex Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550449
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324339 Sample: wNtMSZRvzI.exe Startdate: 29/11/2020 Architecture: WINDOWS Score: 100 76 wdkowdohwodhfhfg.to 2->76 78 efaeduvedvzfufug.to 2->78 80 6 other IPs or domains 2->80 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Multi AV Scanner detection for domain / URL 2->126 128 Malicious sample detected (through community Yara rule) 2->128 132 13 other signatures 2->132 11 wNtMSZRvzI.exe 19 2->11         started        16 svchost.exe 13 2->16         started        18 svchost.exe 14 2->18         started        20 5 other processes 2->20 signatures3 130 Tries to resolve many domain names, but no domain seems valid 78->130 process4 dnsIp5 94 worm.ws 217.8.117.10, 49719, 49732, 49733 CREXFEXPEX-RUSSIARU Russian Federation 11->94 96 tldrnet.top 11->96 68 C:\Users\user\AppData\Local\Temp\B075.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\32[1].exe, PE32 11->70 dropped 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->160 22 B075.exe 2 16 11->22         started        98 api.wipmania.com 16->98 100 api.wipmania.com 18->100 102 edhuaudhuedugufg.to 20->102 104 api.wipmania.com 20->104 106 2 other IPs or domains 20->106 file6 162 Tries to resolve many domain names, but no domain seems valid 94->162 signatures7 process8 dnsIp9 84 api.wipmania.com 212.83.168.196, 49720, 49724, 49734 OnlineSASFR France 22->84 60 C:\30602451729947\svchost.exe, PE32 22->60 dropped 134 Antivirus detection for dropped file 22->134 136 Machine Learning detection for dropped file 22->136 138 Drops PE files with benign system names 22->138 140 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->140 27 svchost.exe 7 20 22->27         started        file10 signatures11 process12 dnsIp13 108 efaeduvedvzfufuk.ws 64.70.19.203, 49740, 49743, 49745 CENTURYLINK-LEGACY-SAVVISUS United States 27->108 110 wduufbaueeubffgg.to 27->110 112 30 other IPs or domains 27->112 72 C:\Users\user\AppData\...\2124123619.exe, data 27->72 dropped 74 C:\Users\user\AppData\...\1371439862.exe, data 27->74 dropped 164 Antivirus detection for dropped file 27->164 166 Multi AV Scanner detection for dropped file 27->166 168 Changes security center settings (notifications, updates, antivirus, firewall) 27->168 174 2 other signatures 27->174 32 1371439862.exe 15 27->32         started        36 2124123619.exe 15 27->36         started        file14 170 Detected Stratum mining protocol 108->170 172 Tries to resolve many domain names, but no domain seems valid 110->172 signatures15 process16 dnsIp17 54 C:\Users\user\AppData\Local\Temp\29005.exe, PE32 32->54 dropped 56 C:\Users\user\AppData\Local\...\xmrmin[1].exe, PE32 32->56 dropped 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->118 39 29005.exe 32->39         started        82 api.wipmania.com 36->82 58 C:\170241923511586\svchost.exe, PE32 36->58 dropped 120 Drops PE files with benign system names 36->120 44 svchost.exe 15 36->44         started        file18 122 May check the online IP address of the machine 82->122 signatures19 process20 dnsIp21 86 worm.top 39->86 62 C:\ProgramData\PnQssBdbSh\winsysdrv, PE32 39->62 dropped 142 Antivirus detection for dropped file 39->142 144 Detected unpacking (changes PE section rights) 39->144 146 Detected unpacking (overwrites its own PE header) 39->146 158 4 other signatures 39->158 46 notepad.exe 39->46         started        88 efeuafubeubaefuk.ws 44->88 90 deauduafzgezzfgk.ws 44->90 92 14 other IPs or domains 44->92 64 C:\Users\user\AppData\...\3140018013.exe, data 44->64 dropped 66 C:\Users\user\AppData\...\1176610936.exe, data 44->66 dropped 148 System process connects to network (likely due to code injection or exploit) 44->148 150 Multi AV Scanner detection for dropped file 44->150 152 Machine Learning detection for dropped file 44->152 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->154 50 1176610936.exe 44->50         started        52 3140018013.exe 44->52         started        file22 156 Tries to resolve many domain names, but no domain seems valid 90->156 signatures23 process24 dnsIp25 114 worm.ws 46->114 176 System process connects to network (likely due to code injection or exploit) 46->176 116 api.wipmania.com 50->116 signatures26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 15:05:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7y2crqxrme6hf3ywck3ioyrz5sgmawdcr2beazsdcu2zqarbllyq._file
Verdict:
malicious
Similar samples:
01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783
Phorpiex
1a26ce3b96b1ccd7af4c8d6f4de0e4b4320535b20895a295e1a96aa009843a71
Phorpiex
1b437ce4268b47520fd7b235482738075e7f7bf07e18512b4bb0e4703ee9e8b9
Phorpiex
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
Phorpiex
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
Phorpiex
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
Phorpiex
7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858
Phorpiex
cd546894a737663aacacc3c3ebe2ea85c26bd5790a57ede5913355a15deac30f
Phorpiex
ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92
Phorpiex
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
Phorpiex
+ 4 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:phorphiex family:xmrig evasion loader miner persistence trojan upx worm
Link:
https://tria.ge/reports/201129-7dp81ssncs/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Drops startup file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
Phorphiex Payload
Phorphiex Worm
Windows security bypass
xmrig
Unpacked files
SH256 hash:
fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1
MD5 hash:
465c8cac1040a56b514c0998b998550a
SHA1 hash:
41c27cfc57fb605d62accbb184875f57e49cc235
Link:
https://www.unpac.me/results/0517ed25-b280-4ce7-985a-caa1e4b036d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105964/

Comments