phorphiex

General

Target

e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
Size

454KB
Sample

230206-pw833adh37
MD5

52776f7c163b7eb61219abd5b5af3973
SHA1

0629d26e09f45aea2a3c06580a82dbc9f94fe386
SHA256

e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
SHA512

cd8aa83035659afd3288a79f0cbc45ff1614bce6a95b90f0ea7987d684b4eaf13e5fdeab3e4273a389f49d9236653799d54a5e5b4f41c026348eebb08520d2ba
SSDEEP

12288:uymOcB+pwPprnVmLmDsC+FU+ZOSzt9tzt:uLOsDFncLmKDZOSzXFt

Score

10^/10

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Targets

- Target
  
  e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
- Size
  
  454KB
- MD5
  
  52776f7c163b7eb61219abd5b5af3973
- SHA1
  
  0629d26e09f45aea2a3c06580a82dbc9f94fe386
- SHA256
  
  e664364dc7cc75f56ddeca9e946b10ccc54d068a7767e5822134913006f39b1c
- SHA512
  
  cd8aa83035659afd3288a79f0cbc45ff1614bce6a95b90f0ea7987d684b4eaf13e5fdeab3e4273a389f49d9236653799d54a5e5b4f41c026348eebb08520d2ba
- SSDEEP
  
  12288:uymOcB+pwPprnVmLmDsC+FU+ZOSzt9tzt:uLOsDFncLmKDZOSzXFt
Score

10^/10

phorphiex evasion loader persistence trojan worm xmrig miner upx
- Phorphiex
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Windows security bypass

xmrig

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2