phorphiex | dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

General

Target

Setup.exe
Size

12KB
Sample

240719-enav7avfpa
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

10.5

Botnet

3a901b2c4dd248059af72250cf07aba7

C2

https://t.me/s41l0

https://steamcommunity.com/profiles/76561199743486170

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.0 Safari/537.36

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

77.105.135.107:3445

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Targets

- Target
  
  Setup.exe
- Size
  
  12KB
- MD5
  
  a14e63d27e1ac1df185fa062103aa9aa
- SHA1
  
  2b64c35e4eff4a43ab6928979b6093b95f9fd714
- SHA256
  
  dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
- SHA512
  
  10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
- SSDEEP
  
  192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
Score

10^/10

phorphiex redline stealc vidar 3a901b2c4dd248059af72250cf07aba7 default logsdiller cloud (tg: @logsdillabot)evasion execution infostealer loader persistence stealer trojan worm
- Detect Vidar Stealer
  stealer
- Modifies security service
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2