phorphiex | 786a00d1c9455580ef9a7db53c27743e5db7fca41e3bbf6ba74b84fb24079a84

Sharing

Copy URL

Twitter E-mail

General

Target

786a00d1c9455580ef9a7db53c27743e5db7fca41e3bbf6ba74b84fb24079a84
Size

12KB
MD5

952b7dc6c4eced902dbd77dff34912ce
SHA1

79a2048671241312a511da346a9acdc61f7825d9
SHA256

786a00d1c9455580ef9a7db53c27743e5db7fca41e3bbf6ba74b84fb24079a84
SHA512

6550acca5c3f1ef0e476ee8bd0bee7bb4238140bd9161495881668328a268ef32ef436af3efe2ad2ec17f1bd4d75edada668fa4da9fa158aab56181fda8318df
SSDEEP

384:oWP5pgfDwnE2RzkgYLgWZ8qDitsi++vTiUC9egxC9BC:LWfYRlkcWZ8Y1ibiUCHCC

Score

10^/10

phorphiex

Malware Config

Extracted

Family

phorphiex

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/deb0e9fe1aa66fc42d58bf8561a417d6018f4a1b28b9d2a891a353b6f3d670d0.exe	family_phorphiex

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/deb0e9fe1aa66fc42d58bf8561a417d6018f4a1b28b9d2a891a353b6f3d670d0.exe

Files

786a00d1c9455580ef9a7db53c27743e5db7fca41e3bbf6ba74b84fb24079a84
.zip

Password: infected
deb0e9fe1aa66fc42d58bf8561a417d6018f4a1b28b9d2a891a353b6f3d670d0.exe
.exe windows:5 windows x86 arch:x86

24e3a14d31686a042f9eebb5c9549dc4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcr90

_controlfp_s
_invoke_watson
_except_handler4_common
_decode_pointer
_onexit
_lock
memcpy
__dllonexit
_unlock
?terminate@@YAXXZ
__set_app_type
_encode_pointer
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_acmdln
exit
_ismbblead
_XcptFilter
_exit
_cexit
__getmainargs
_amsg_exit
wcscmp
wcslen
_except_handler3
strcmp
srand
strlen
mbstowcs
rand
memset
isalpha
isdigit
_crt_debugger_hook

wininet

InternetOpenA
InternetOpenUrlA
HttpQueryInfoA
InternetOpenW
InternetOpenUrlW
InternetReadFile
InternetCloseHandle

urlmon

URLDownloadToFileW

shlwapi

StrStrW
PathFindFileNameW

kernel32

GetLastError
ExitProcess
GetModuleFileNameW
CopyFileW
SetFileAttributesW
CreateThread
HeapValidate
GetProcessHeaps
HeapCreate
HeapSetInformation
GetCurrentProcessId
GetLocaleInfoA
CreateProcessW
CreateMutexA
WriteFile
DeleteFileW
CreateFileW
GetFileSize
CreateFileMappingA
MapViewOfFile
HeapAlloc
HeapFree
UnmapViewOfFile
CloseHandle
SetFilePointer
SetEndOfFile
GetModuleHandleW
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoA
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
ExpandEnvironmentStringsW
GetProcessHeap
GlobalUnlock
GlobalLock
GlobalAlloc
lstrlenA
lstrlenW
lstrcpynW
MultiByteToWideChar
ExitThread
GetTickCount
Sleep

user32

TranslateMessage
GetMessageA
CreateWindowExW
RegisterClassExW
wsprintfW
DefWindowProcA
ChangeClipboardChain
DispatchMessageA
GetClipboardData
IsClipboardFormatAvailable
SendMessageA
SetWindowLongW
SetClipboardViewer
GetWindowLongW
wsprintfA
OpenClipboard
SetClipboardData
EmptyClipboard
RegisterRawInputDevices
CloseClipboard

advapi32

CryptAcquireContextW
CryptEncrypt
CryptImportKey
CryptVerifySignatureA
CryptHashData
CryptCreateHash
RegSetValueExA
RegOpenKeyExA
RegCloseKey
RegSetValueExW
RegOpenKeyExW
CryptDestroyKey

shell32

ShellExecuteW

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 916B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 688B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

24e3a14d31686a042f9eebb5c9549dc4

Headers

DLL Characteristics

File Characteristics

Imports

msvcr90

wininet

urlmon

shlwapi

kernel32

user32

advapi32

shell32

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 512B - Virtual size: 916B

.rsrc Size: 1024B - Virtual size: 688B

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 916B

.rsrc
Size: 1024B - Virtual size: 688B

.reloc
Size: 1KB - Virtual size: 1KB