phorphiex | file[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

file.exe
Size

80KB
MD5

8d9e7695b942e570f84564345d736762
SHA1

e16022d7b4a5051c4bff6f8f23cf29ab0811c845
SHA256

b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462
SHA512

4031d726322cbb14ae84e60591d9c493495cf54e0028c86b3e1789b9885fce1fa577a47a5a1b5ca311b78e8b405f0d0149e44317d5e414d3e3e91d21dcf5f25f
SSDEEP

1536:P3Mz85SRJP1sW7jeWkfp52S2QyS9QafFFUheeeeeeeeWeeeee:kw5gPiOjeDxb2QyS9QafFF

Score

10^/10

phorphiex

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

Phorphiex family
phorphiex

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
file.exe

Files

file.exe
.exe windows:5 windows x86 arch:x86

2ffdf0a1519d1adada787fd4df5a5fec

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

recvfrom
setsockopt
sendto
send
recv
WSAStartup
ioctlsocket
bind
WSACloseEvent
WSARecv
WSASend
WSAGetLastError
WSAEnumNetworkEvents
gethostname
connect
inet_ntoa
inet_addr
htons
getsockname
shutdown
socket
closesocket
gethostbyname
WSAEventSelect
WSAGetOverlappedResult
WSAWaitForMultipleEvents
getpeername
accept
WSACreateEvent
WSASocketA
listen

shlwapi

PathFileExistsW
StrCmpNW
PathMatchSpecW
PathFindFileNameW
StrChrA
StrStrIA
StrCmpNIA
StrStrW

urlmon

URLDownloadToFileW

wininet

HttpOpenRequestA
InternetOpenUrlW
InternetOpenUrlA
HttpQueryInfoA
InternetOpenW
InternetCloseHandle
InternetOpenA
HttpSendRequestA
InternetConnectA
InternetCrackUrlA
InternetReadFile
HttpAddRequestHeadersA

ntdll

memcpy
_chkstk
_aulldiv
RtlUnwind
memmove
mbstowcs
RtlTimeToSecondsSince1980
NtQuerySystemTime
NtQueryVirtualMemory
strstr
isdigit
isalpha
_allshl
_aullshr
memset

msvcrt

rand
srand
_vscprintf

kernel32

GetLastError
CreateProcessW
GetLocaleInfoA
DuplicateHandle
DeleteCriticalSection
GetThreadPriority
SetThreadPriority
GetCurrentThread
GetCurrentProcess
InterlockedExchangeAdd
InterlockedIncrement
InterlockedExchange
WaitForSingleObject
InterlockedDecrement
GetCurrentProcessId
HeapSetInformation
GetSystemInfo
PostQueuedCompletionStatus
GetProcessHeaps
HeapValidate
HeapCreate
HeapFree
HeapAlloc
HeapReAlloc
ExpandEnvironmentStringsW
CreateThread
CreateMutexA
MoveFileA
MoveFileW
CreateEventA
ExitProcess
GetQueuedCompletionStatus
CreateIoCompletionPort
SetEvent
GetVolumeInformationW
SetFileAttributesW
lstrcpyW
DeleteFileW
GetDiskFreeSpaceExW
FindNextFileW
lstrcmpiW
QueryDosDeviceW
RemoveDirectoryW
FindClose
lstrlenA
GlobalLock
GetModuleHandleW
GetTickCount
GlobalAlloc
Sleep
lstrcpynW
ExitThread
MultiByteToWideChar
lstrlenW
GlobalUnlock
GetFileSize
MapViewOfFile
UnmapViewOfFile
WriteFile
InitializeCriticalSection
LeaveCriticalSection
CreateFileW
FlushFileBuffers
EnterCriticalSection
CreateFileMappingW
CloseHandle
FindFirstFileW
GetDriveTypeW
MoveFileExW
CreateDirectoryW
GetLogicalDrives
CopyFileW
GetModuleFileNameW
lstrcmpW

user32

TranslateMessage
RegisterClassExW
wsprintfW
GetClipboardData
EmptyClipboard
ChangeClipboardChain
SetWindowLongW
DefWindowProcA
RegisterRawInputDevices
CreateWindowExW
SendMessageA
IsClipboardFormatAvailable
CloseClipboard
GetMessageA
wsprintfA
wvsprintfA
GetWindowLongW
DispatchMessageA
OpenClipboard
SetClipboardData
SetClipboardViewer

advapi32

RegSetValueExW
CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
RegQueryValueExW
RegOpenKeyExA
RegSetValueExA
RegCloseKey
RegOpenKeyExW

shell32

ShellExecuteW

ole32

CoInitializeEx
CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

SysFreeString
SysAllocString

Sections

.text
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

2ffdf0a1519d1adada787fd4df5a5fec

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

shlwapi

urlmon

wininet

ntdll

msvcrt

kernel32

user32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 56KB - Virtual size: 56KB

.rdata Size: 12KB - Virtual size: 12KB

.data Size: 10KB - Virtual size: 14KB

.text
Size: 56KB - Virtual size: 56KB

.rdata
Size: 12KB - Virtual size: 12KB

.data
Size: 10KB - Virtual size: 14KB