phorphiex | 9905e86ec9acd294a2ffb88a79b598a8029ee6ff07d794411885ab102bbd647f

General

Target

036d8f6b86325c18fa71a7d922ec6ff3.exe
Size

7KB
MD5

036d8f6b86325c18fa71a7d922ec6ff3
SHA1

f73f4a8fd8a4f5a2c66fc425d571b3b1219cb5e9
SHA256

9905e86ec9acd294a2ffb88a79b598a8029ee6ff07d794411885ab102bbd647f
SHA512

56da1be33c24ba20400aefc8127f75fcc139ef418868472c5fa195bae67a1009158c60160ecdfe0117544746a3be2319d0b79ce3be5a15e7ebd39b8ba2c02795
SSDEEP

96:S5urVm8uw0GSYU6RYHKcFPtboynuYUL8PCtbOoX:42Vm8yPkIP1oynfUL8ebJ

Score

10^/10

phorphiex rhadamanthys evasion loader persistence stealer trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3392-142-0x0000000002990000-0x00000000029AC000-memory.dmp	family_rhadamanthys
behavioral2/memory/3392-143-0x0000000002BF0000-0x0000000003BF0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3392-145-0x0000000002990000-0x00000000029AC000-memory.dmp	family_rhadamanthys

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

1637826837.exesysagrsv.exe2599729860.exe

pid process

3220 1637826837.exe
2068 sysagrsv.exe
3392 2599729860.exe

pid	process
3220	1637826837.exe
2068	sysagrsv.exe
3392	2599729860.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1637826837.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe"	1637826837.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

2599729860.exe

pid process

3392 2599729860.exe
3392 2599729860.exe
3392 2599729860.exe
Drops file in Windows directory 2 IoCs

Processes:

1637826837.exe

description ioc process

File opened for modification C:\Windows\sysagrsv.exe 1637826837.exe
File created C:\Windows\sysagrsv.exe 1637826837.exe

pid	process
3392	2599729860.exe
3392	2599729860.exe
3392	2599729860.exe

description	ioc	process
File opened for modification	C:\Windows\sysagrsv.exe	1637826837.exe
File created	C:\Windows\sysagrsv.exe	1637826837.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2599729860.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	2599729860.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	2599729860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2599729860.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2599729860.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2599729860.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2599729860.exe

description pid process

Token: SeShutdownPrivilege 3392 2599729860.exe
Token: SeCreatePagefilePrivilege 3392 2599729860.exe

description	pid	process
Token: SeShutdownPrivilege	3392	2599729860.exe
Token: SeCreatePagefilePrivilege	3392	2599729860.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

036d8f6b86325c18fa71a7d922ec6ff3.exe1637826837.exesysagrsv.exe

description	pid	process	target process
PID 3936 wrote to memory of 3220	3936	036d8f6b86325c18fa71a7d922ec6ff3.exe	1637826837.exe
PID 3936 wrote to memory of 3220	3936	036d8f6b86325c18fa71a7d922ec6ff3.exe	1637826837.exe
PID 3936 wrote to memory of 3220	3936	036d8f6b86325c18fa71a7d922ec6ff3.exe	1637826837.exe
PID 3220 wrote to memory of 2068	3220	1637826837.exe	sysagrsv.exe
PID 3220 wrote to memory of 2068	3220	1637826837.exe	sysagrsv.exe
PID 3220 wrote to memory of 2068	3220	1637826837.exe	sysagrsv.exe
PID 2068 wrote to memory of 3392	2068	sysagrsv.exe	2599729860.exe
PID 2068 wrote to memory of 3392	2068	sysagrsv.exe	2599729860.exe
PID 2068 wrote to memory of 3392	2068	sysagrsv.exe	2599729860.exe

C:\Users\Admin\AppData\Local\Temp\036d8f6b86325c18fa71a7d922ec6ff3.exe
"C:\Users\Admin\AppData\Local\Temp\036d8f6b86325c18fa71a7d922ec6ff3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\1637826837.exe
C:\Users\Admin\AppData\Local\Temp\1637826837.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\sysagrsv.exe
C:\Windows\sysagrsv.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\2599729860.exe
C:\Users\Admin\AppData\Local\Temp\2599729860.exe
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1637826837.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1637826837.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\2599729860.exe
Filesize
179KB

MD5
5397f9cb7507b8a6e20bae247451c673

SHA1
4a3081cf46149f5d337908dc0390ae2a97144a74

SHA256
aa87563289327498a603f4103d7ce9b76fa008426c404c6f4afa087326651e81

SHA512
0edb5c96bf77d0de7e75597c692cfa5764e7a85bd1dbda16ed9334139fd79711ca58df4644f0075947586357392ac9b8087f9058121e7a6e522390e3d7f9478d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2599729860.exe
Filesize
179KB

MD5
5397f9cb7507b8a6e20bae247451c673

SHA1
4a3081cf46149f5d337908dc0390ae2a97144a74

SHA256
aa87563289327498a603f4103d7ce9b76fa008426c404c6f4afa087326651e81

SHA512
0edb5c96bf77d0de7e75597c692cfa5764e7a85bd1dbda16ed9334139fd79711ca58df4644f0075947586357392ac9b8087f9058121e7a6e522390e3d7f9478d

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
memory/2068-135-0x0000000000000000-mapping.dmp

Download
memory/3220-132-0x0000000000000000-mapping.dmp

Download
memory/3392-138-0x0000000000000000-mapping.dmp

Download
memory/3392-141-0x0000000000EA1000-0x0000000000EBB000-memory.dmp

Filesize
104KB

Download
memory/3392-142-0x0000000002990000-0x00000000029AC000-memory.dmp

Filesize
112KB

Download
memory/3392-143-0x0000000002BF0000-0x0000000003BF0000-memory.dmp

Filesize
16.0MB

Download
memory/3392-144-0x0000000000EA1000-0x0000000000EBB000-memory.dmp

Filesize
104KB

Download
memory/3392-145-0x0000000002990000-0x00000000029AC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads