General

  • Target

    d8ecc1fd1deb6c69a39bbae5c2c4e528.exe

  • Size

    10KB

  • Sample

    221124-fa4rsada2w

  • MD5

    d8ecc1fd1deb6c69a39bbae5c2c4e528

  • SHA1

    9abce16698a70cf118a251a00ba550122ad31102

  • SHA256

    4b56d0b0c8c52803bf7c21587bd98a16f73f0d6ed4e4153eee1964533ac394ee

  • SHA512

    7c00e5d84b5e6b5b8ac4e9bd1b1490db6cb1888c48f74946cc218954a1be30030360dc1fad35d7cd8e6909c58a0d201111ef8dc5416462378646c8bebc218ab7

  • SSDEEP

    192:V8WNyBKkeqbOABDNDZP1oynVeMLkWS+E/Q+VIKiIidEiv:lNyxeqFBl1XeMQWS+E/Q+VXiWiv

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/twizt/

Wallets

12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc

1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD

3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg

3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz

qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8

DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG

0xb899fC445a1b61Cdd62266795193203aa72351fE

LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7

r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1

TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5

t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy

AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX

bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

43ABGVDKXksdy7UTP8aHqkRf4xAVDmKKXBYDRevAadwaLJhHzH4ubZHGLjVpLc5ZWk7TVmHbHHAWUBF78mx1YG4eNbww6fr

GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY

bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky

bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v

Targets

    • Target

      d8ecc1fd1deb6c69a39bbae5c2c4e528.exe

    • Size

      10KB

    • MD5

      d8ecc1fd1deb6c69a39bbae5c2c4e528

    • SHA1

      9abce16698a70cf118a251a00ba550122ad31102

    • SHA256

      4b56d0b0c8c52803bf7c21587bd98a16f73f0d6ed4e4153eee1964533ac394ee

    • SHA512

      7c00e5d84b5e6b5b8ac4e9bd1b1490db6cb1888c48f74946cc218954a1be30030360dc1fad35d7cd8e6909c58a0d201111ef8dc5416462378646c8bebc218ab7

    • SSDEEP

      192:V8WNyBKkeqbOABDNDZP1oynVeMLkWS+E/Q+VIKiIidEiv:lNyxeqFBl1XeMQWS+E/Q+VXiWiv

    • Phorphiex

      Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Windows security bypass

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks