phorphiex

Sharing

Copy URL

Twitter E-mail

General

Target

8051496142.zip
Size

651KB
Sample

220928-k5y71agfbm
MD5

2e29823776345df6912f1155a6c698da
SHA1

3c33e4671ad49d55c438b1cfda196b502d4e90eb
SHA256

a3172e45bb1824fa625a04ff1d7e08617de13309ba9d31fb6b03ec9a921f345b
SHA512

8154dbd506874f3dcde5d8692ff062663be3e7e6edffcdb72541ac0451045aa8d80a1f26f9acdf76b99ca1cfbe5d067c22864cc98b2812371106a4a9f27af408
SSDEEP

12288:jgr+OjJFxASZc79Sm5nq8YN0uxjf5l3LEkOyL9BMEfDjYKomKddHSCCK3f+JPTa1:lIgRbq8UXRxOykEAgcSCuPTgP

Score

10^/10

Malware Config

Extracted

Family

phorphiex

http://185.215.113.84/twizt/

http://185.215.113.66/twizt/

Wallets

13dJT8HaqHG3SzwEHN351NKpZHjT51LUMioPeZCuYFMn6Em2

1AFyjUHBU47bKeWD3Yv9vxFvfQCNFVhEB1

3PLCWMHvHvUKmzNKvrNxRHcpBBt841bLLRm

qraj0r42vag30v888rxrv23us6n9mwqzxqmanzrjzz

XdpMAtREQP2GiJPnhECJE17Yo47kqwxE2g

DAd39Hg29o3hXTXkCp867rWZ82QtYemBr1

0x7acBe663481E7cAB6C7b22af594A1Fa5553ddA5f

LVSQJj6WFnMzAFDZLidL19hCtTtJu1WNHy

rsJ93nxUfY9p5a1g8ZYd1w1YsHdVP3tSn1

TXGiKCawSp4VEYnXC4Eyvz8gVugh3ibZjr

t1eAsZic54jTo4V4DRPWMN4oLgSzsSSYxcw

AHZnFT4zfKU59R811DCthwxBPKuRqG2ES1

bitcoincash:qraj0r42vag30v888rxrv23us6n9mwqzxqmanzrjzz

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

GABBG3OBFC3JLJEXMFEKJMMHANGFWVPTPKUJSVOMZZGQO522AXGL7Q3P

GMinVxCfyuHFUBiuuWuaWkUBWgN1kgowfsNzjjuad7W9

bnb16yfddrq3325xuqh3070tlqsr5gr74jun7zefgz

bc1qvdu6nyvrppjtshy7rgfpkl74hkklj7plavr8je

Targets

- Target
  
  1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c
- Size
  
  114KB
- MD5
  
  319251085e4357962fc78a832bb28ee5
- SHA1
  
  69d1f802f6251506fcb2cdd04bc016ba9e79b135
- SHA256
  
  1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c
- SHA512
  
  8761fd841317d080a24ab6ed4e46d8ef0222b927186b609d51a174ae3d86384d95327a5bf0c9a76630fb617c1bc81c2c6d1c9bbc3eb4029d45c0184c6dcc4945
- SSDEEP
  
  3072:2Ql0wN4WLO1Io0zfx/GzXlPE7lQFsUMt1HirQd:9Z4WLOGfs5E7lQFVMt1Cr4
Score

8^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334
- Size
  
  76KB
- MD5
  
  bd280f51fc7e46a3f9470713f5f859cc
- SHA1
  
  ed748025627617facd90eaad22c36687819f7535
- SHA256
  
  1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334
- SHA512
  
  b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2
- SSDEEP
  
  1536:d3Mz8teK4zdEEP7ACU5wvclRSJytpKHaHlt5F92V:mwoKIP7q+vclR/tp3Ft5F92
Score

10^/10

phorphiex evasion loader persistence trojan worm xmrig miner upx
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
- Size
  
  75KB
- MD5
  
  ed2d7b25bb360cccb4f0f6a4f8732d7a
- SHA1
  
  6ffcc083956c5ac19826bdd87e12f87817ee837c
- SHA256
  
  22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
- SHA512
  
  6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
- SSDEEP
  
  1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr
Score

10^/10

phorphiex evasion loader persistence trojan worm
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0
- Size
  
  117KB
- MD5
  
  22fae9b2afe673318d4d8de9b2b7826c
- SHA1
  
  c9181742312a14f56df830d0bffe501e1772a75d
- SHA256
  
  3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0
- SHA512
  
  af58daf87e5ae240b8a927c8f87a5a0bf81f1b5463eec810e3633c93650f0d564494731638428bc3eeda86946c8e7af329fc07bfc3ec4edd31a37c3a3145f8f1
- SSDEEP
  
  3072:Mx6HSJqSSSSF4GFEbfYKtM2n3FSOyUijEQoSSSZKVIcgqBJi7nQXpetJaSuSWSCn:dHSJqSSSSF4Pfntd3FSPjnoSSSZKVIcz
Score

8^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3
- Size
  
  76KB
- MD5
  
  5db9a00364b3c87e0bc4c52d3fbda13d
- SHA1
  
  f2e1f784019db62dd2866295499650a2a7d629dd
- SHA256
  
  39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3
- SHA512
  
  7b472c384b011b24c8d4b0c7b67cc08f9708fee30bcbc38c93188064d1795ba581177cfbdd2f03d5a6f07c7ea4251c934f67710ade09ab04e9cb3884db94ef70
- SSDEEP
  
  1536:e3Mz8WzKcG6EBACCUDqgorWZK+DldD5Fw0F36:lwWWB0Aqg6WPpdD5Fwc6
Score

10^/10

phorphiex evasion loader persistence trojan worm
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral9 behavioral10
- Target
  
  6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc
- Size
  
  117KB
- MD5
  
  083b5b2003bc9b2c4cd423b086ad5265
- SHA1
  
  9fff262f74d9ecf446eabbb2e9136f1bd6c521d4
- SHA256
  
  6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc
- SHA512
  
  23999df69b89b2ead229daddbb4d76637c42e7db6b004401f10631fcfe437d40e70af18a92b7d8105610568f6311f9899398aec6296a74a3a932f8d1fdacdcc5
- SSDEEP
  
  1536:zPFAoF9649rqWOQMg7AQxfrtJlIactudzEIe7nii2nf4ljawM/0ZAmhQuz:Dx64CrsnxWhudIzioaz/YQuz
Score

8^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a
- Size
  
  114KB
- MD5
  
  3f04ef0e701d181d0b1971c7661930a9
- SHA1
  
  fb76e2613c38621794fdd701f2a3ab6245b63695
- SHA256
  
  96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a
- SHA512
  
  799f26abf17139128f222b3ea010b9bd14d20a8c61a60313ec9a043c40c96e88a6eabb3bec2f640b834c608e306e16b619d699b63896f486315f0daa7fbfb89f
- SSDEEP
  
  3072:bi6paumKN81UAVH/kEOjZuMmlvAwTNZii:EovkME1MSocNL
Score

8^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
behavioral13 behavioral14
- Target
  
  a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
- Size
  
  9KB
- MD5
  
  fe304e909fb1f67c4d9030fc74d0a2f1
- SHA1
  
  1102fb973b3b83bbd5749db3ceb9405443c09dfe
- SHA256
  
  a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
- SHA512
  
  46f797b30affdc7bc2291b2b1fb064246a7aa2359072380468abce1423b338859c0ad45b02c2dc5623d167ef51c65414e06890c7c9dfe4b9e305a0b70257f1aa
- SSDEEP
  
  192:oeJbEZ11AsLvRP1oynfUOMNc1Fu669tk2Hv:BJwZ11T51BUOMNqF96s
Score

10^/10

phorphiex evasion loader persistence trojan worm
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
- Size
  
  75KB
- MD5
  
  209baf40779b80d5e443c3dbbd656bfb
- SHA1
  
  b64fa8dded031d5dacac519a2035cefcd05e6503
- SHA256
  
  c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
- SHA512
  
  9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e
- SSDEEP
  
  1536:E3Mz8Guoo90MXrtvWhzNmgrZBVnWw7V15FK9:fwGuPXpOh5mgrVnj7V15FK
Score

10^/10

phorphiex evasion loader persistence trojan worm
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366
- Size
  
  117KB
- MD5
  
  014f05a09746a3f9ed4aed18a0f7936d
- SHA1
  
  fd8eba1a1116d093759a133577a46e587b16007c
- SHA256
  
  fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366
- SHA512
  
  3d0874e0ba2026f3b6e2c35b51049a6a5a56bede8d5fec9a33cfe6b2484e14fa16fba20ef877faf84c0a83deb7ed19f3828cbf7daa35ea49dfd67dcdc751c64e
- SSDEEP
  
  3072:mx6mollo3GcK+fpV00DO9gIsGxJ03I6zV5lE7mJ:DmasG3+B2lJFx24aV5y7mJ
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Windows security bypass

xmrig

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Loads dropped DLL

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Phorphiex

Windows security bypass

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Windows security modification

Adds Run key to start application

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Phorphiex

Windows security bypass

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Windows security modification

Adds Run key to start application

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Loads dropped DLL

Phorphiex

Windows security bypass

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Windows security modification

Adds Run key to start application

Phorphiex

Windows security bypass

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Windows security modification

Adds Run key to start application

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15