phorphiex | 128e7b46b91789697fc09d8ba0463003

Sharing

Copy URL Twitter E-mail

General

Target

128e7b46b91789697fc09d8ba0463003
Size

100KB
MD5

128e7b46b91789697fc09d8ba0463003
SHA1

34ec405532b51e18cfc95ec0cb15a1dd775d90e4
SHA256

4196b94a61fbb975f313ca486b1ef91b39c0bdcd9ff94c36edbdbeb9f07b78a7
SHA512

1c0200d12662d52502d4084e520bc083bb869cd89e87d9c6d97c3d0877ea47c9bc0dadb261740048cd9fadda19eb55ced9227d04f8df5b9218e35b6ade11e581
SSDEEP

3072:jXmkh1ZZDI5msTBTsDCnseWR3KEBqwciyY496dh3YwFS8ShFx:rmkhvluBBTsDCnHSKEBqwciyY496dhon

Score

10^/10

phorphiex

Malware Config

Extracted

Family

phorphiex

http://185.215.113.93/

Wallets

15i4zgkk6g4x3eb161Ay9hMj8aZ8dswqEJpNaCY4s4C5ka17

17SBPhXtH8AxszbyEPPvFaazef6Cpup7Rg

3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ

qrzu3lahc7thkstxdsjamym2sak78j6mpy23fk3mxj

XdxqSoWqiAHKgbXP5zQabiy2kUhbtaiqmn

DAHCJcwE5y3K4nA9YGjiLWSEPmadeh7uZX

0x57af5e3E5D6CB0cA6F44D303328b4f68Edaa9E39

LKHcffQ1KFH9byXS8VdfHUYLzY9a8W4ZHg

r9Ftrva5RQP24TsK3yA5JVgDHaSSFxvt1s

TDfp7Nkqk26x6Yx7Cg4otm96HLpaUXRXfY

t1aCQnZyyAmDbuDxHvWHYJw8yHKXvGKfx2H

AJE3WzUsBvX1BWF1fcnwby28114DKpoSVm

bitcoincash:qrzu3lahc7thkstxdsjamym2sak78j6mpy23fk3mxj

4AfbdZbgJ52fg6GbKkR2gRT3DMboW1ZToGisLqu3psxsGEtXoGg8QGhdfhcYkX5He19L2qEJpG2fajSz7mxEbYQF2zCAMKs

GCY7OC7EPYI6LSMPCC54UBGNFGFMX2LJF6SCVRKS5CJD5YMHVQSGBJVW

bnb1qq5re95dlsf0l0edx8kjpurluc5uslgdgqzxnv

bc1qfqne66vggljvmreg8gz6ng8xrjtf63vrm4c40a

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
sample	family_phorphiex

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
128e7b46b91789697fc09d8ba0463003

Files

128e7b46b91789697fc09d8ba0463003
.exe windows:5 windows x86 arch:x86

572f29d114844c45cfd821916845866e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_controlfp
memmove
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
wcscmp
srand
rand
mbstowcs
strchr
strcmp
_wfopen
fseek
ftell
fclose
memset
_mbsstr
strlen
isalpha
isdigit
wcsstr
wcslen
iswalpha
iswdigit
memcpy
??3@YAXPAX@Z
??2@YAPAXI@Z
strtol
memchr
memcmp

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
HttpQueryInfoA
InternetOpenUrlW
InternetOpenW
InternetReadFile

urlmon

URLDownloadToFileW

shlwapi

PathMatchSpecW
StrCmpNW
PathFileExistsW
PathFindFileNameW
PathFileExistsA

ws2_32

setsockopt
send
getaddrinfo
recv
socket
connect
closesocket
listen
bind
htonl
htons
inet_pton
ntohl
shutdown
WSACleanup
WSAStartup
getsockname
ntohs
WSAAccept
WSARecv
WSASend
WSAGetLastError
freeaddrinfo
inet_ntop

kernel32

GlobalAlloc
GlobalLock
GlobalUnlock
WaitForMultipleObjects
GetQueuedCompletionStatus
PostQueuedCompletionStatus
LoadLibraryA
GetProcAddress
lstrlenW
TerminateThread
CloseHandle
CreateIoCompletionPort
SleepEx
SetLastError
GlobalFree
GetSystemTimeAsFileTime
GetTickCount
lstrcpynA
ExitThread
SetEndOfFile
SetFilePointer
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
GetFileSize
CreateFileW
CreateProcessW
GetLocaleInfoA
DeleteFileW
WriteFile
ExpandEnvironmentStringsW
lstrcpyW
QueryDosDeviceW
GetDriveTypeW
GetLogicalDrives
RemoveDirectoryW
FindClose
FindNextFileW
MoveFileExW
lstrcmpW
WaitForSingleObject
GetLastError
GetStartupInfoA
GetModuleHandleA
MoveFileA
MoveFileW
DeleteFileA
ExitProcess
CreateMutexA
CopyFileA
CreateThread
GetTempPathW
GetModuleFileNameW
GetVolumeInformationW
SetFileAttributesW
CopyFileW
lstrcmpiW
CreateDirectoryW
lstrlenA
Sleep
HeapReAlloc
HeapAlloc
HeapFree
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
FindFirstFileW

user32

FindWindowA
ShowWindow
SetForegroundWindow
CloseWindow
SetFocus
wsprintfA
wsprintfW
GetClipboardData
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard

advapi32

CryptReleaseContext
CryptGenRandom
CryptEncrypt
CryptDestroyKey
CryptGetKeyParam
CryptImportKey
CryptSetKeyParam
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptDuplicateHash
CryptExportKey
CryptVerifySignatureA
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegSetValueExW
CryptAcquireContextW
CryptAcquireContextA

shell32

ShellExecuteW

ole32

CoInitializeEx
CoCreateInstance

Sections

.text
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

572f29d114844c45cfd821916845866e

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

wininet

urlmon

shlwapi

ws2_32

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 77KB - Virtual size: 76KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 3KB - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 436B

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 77KB - Virtual size: 76KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 3KB - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 4KB - Virtual size: 4KB