phorphiex | sysfgdrvs[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

sysfgdrvs.exe
Size

76KB
MD5

5db9a00364b3c87e0bc4c52d3fbda13d
SHA1

f2e1f784019db62dd2866295499650a2a7d629dd
SHA256

39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3
SHA512

7b472c384b011b24c8d4b0c7b67cc08f9708fee30bcbc38c93188064d1795ba581177cfbdd2f03d5a6f07c7ea4251c934f67710ade09ab04e9cb3884db94ef70
SSDEEP

1536:e3Mz8WzKcG6EBACCUDqgorWZK+DldD5Fw0F36:lwWWB0Aqg6WPpdD5Fwc6

Score

10^/10

phorphiex

Malware Config

Extracted

Family

phorphiex

http://185.215.113.84/twizt/

Wallets

13dJT8HaqHG3SzwEHN351NKpZHjT51LUMioPeZCuYFMn6Em2

1AFyjUHBU47bKeWD3Yv9vxFvfQCNFVhEB1

3PLCWMHvHvUKmzNKvrNxRHcpBBt841bLLRm

3LVETtCrwgP6fhf1W5h1aiuUbG5yp8MG2x

qraj0r42vag30v888rxrv23us6n9mwqzxqmanzrjzz

XdpMAtREQP2GiJPnhECJE17Yo47kqwxE2g

DAd39Hg29o3hXTXkCp867rWZ82QtYemBr1

0x7acBe663481E7cAB6C7b22af594A1Fa5553ddA5f

LVSQJj6WFnMzAFDZLidL19hCtTtJu1WNHy

rsJ93nxUfY9p5a1g8ZYd1w1YsHdVP3tSn1

TXGiKCawSp4VEYnXC4Eyvz8gVugh3ibZjr

t1eAsZic54jTo4V4DRPWMN4oLgSzsSSYxcw

AHZnFT4zfKU59R811DCthwxBPKuRqG2ES1

bitcoincash:qraj0r42vag30v888rxrv23us6n9mwqzxqmanzrjzz

44HTTxP6AQ716zmPnc96XWRzCPtmJCYU8CZeU1bUUGyVNTEcHvLrGsg53AHiifFgz8W5F2ERtVCBxdC73gJFNhCDNs4ndn2

GABBG3OBFC3JLJEXMFEKJMMHANGFWVPTPKUJSVOMZZGQO522AXGL7Q3P

GMinVxCfyuHFUBiuuWuaWkUBWgN1kgowfsNzjjuad7W9

bnb16yfddrq3325xuqh3070tlqsr5gr74jun7zefgz

bc1qvdu6nyvrppjtshy7rgfpkl74hkklj7plavr8je

Attributes

mutex
jf9k9ek
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
sample	family_phorphiex

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
sysfgdrvs.exe

Files

sysfgdrvs.exe
.exe windows:5 windows x86 arch:x86

13d4ecb21ffd4b77a0608840e931a3df

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

recvfrom
setsockopt
sendto
WSAStartup
bind
ioctlsocket
recv
send
WSACloseEvent
WSARecv
WSASend
WSAGetLastError
gethostname
connect
inet_ntoa
inet_addr
htons
getsockname
shutdown
socket
closesocket
gethostbyname
WSAEnumNetworkEvents
WSAEventSelect
listen
WSAWaitForMultipleEvents
getpeername
accept
WSAGetOverlappedResult
WSACreateEvent
WSASocketA

shlwapi

PathFileExistsW
StrCmpNW
PathMatchSpecW
PathFindFileNameW
PathFileExistsA
StrChrA
StrStrIA
StrCmpNIA
StrStrW

urlmon

URLDownloadToFileW

wininet

InternetConnectA
InternetOpenUrlW
HttpQueryInfoA
InternetOpenW
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle
InternetCrackUrlA

ntdll

memcpy
_chkstk
_aulldiv
RtlUnwind
mbstowcs
RtlTimeToSecondsSince1980
NtQuerySystemTime
NtQueryVirtualMemory
memmove
isdigit
isalpha
_allshl
_aullshr
memset

msvcrt

rand
srand
_vscprintf

kernel32

MoveFileA
CreateProcessW
GetLocaleInfoA
DuplicateHandle
DeleteCriticalSection
GetThreadPriority
SetThreadPriority
GetCurrentThread
GetCurrentProcess
InterlockedExchangeAdd
InterlockedIncrement
InterlockedExchange
WaitForSingleObject
InterlockedDecrement
GetCurrentProcessId
HeapSetInformation
GetProcessHeaps
GetSystemInfo
PostQueuedCompletionStatus
HeapValidate
HeapCreate
HeapFree
HeapAlloc
HeapReAlloc
ExpandEnvironmentStringsW
CreateThread
DeleteFileA
CreateMutexA
MoveFileW
GetLastError
CreateEventA
ExitProcess
GetQueuedCompletionStatus
CreateIoCompletionPort
SetEvent
GetVolumeInformationW
SetFileAttributesW
lstrcpyW
DeleteFileW
GetDiskFreeSpaceExW
FindNextFileW
lstrcmpiW
QueryDosDeviceW
RemoveDirectoryW
lstrlenA
GlobalLock
GetModuleHandleW
GetTickCount
GlobalAlloc
Sleep
lstrcpynW
ExitThread
MultiByteToWideChar
lstrlenW
GlobalUnlock
GetFileSize
MapViewOfFile
UnmapViewOfFile
WriteFile
InitializeCriticalSection
LeaveCriticalSection
CreateFileW
FlushFileBuffers
EnterCriticalSection
CreateFileMappingW
CloseHandle
FindFirstFileW
GetDriveTypeW
MoveFileExW
CreateDirectoryW
GetLogicalDrives
CopyFileW
GetModuleFileNameW
lstrcmpW
FindClose

user32

SendMessageA
IsClipboardFormatAvailable
TranslateMessage
RegisterClassExW
GetWindowLongW
GetClipboardData
EmptyClipboard
ChangeClipboardChain
CloseClipboard
GetMessageA
FindWindowA
ShowWindow
wsprintfA
SetForegroundWindow
wvsprintfA
wsprintfW
SetWindowLongW
DefWindowProcA
RegisterRawInputDevices
CreateWindowExW
DispatchMessageA
OpenClipboard
SetClipboardData
SetClipboardViewer

advapi32

RegSetValueExW
CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
RegQueryValueExW
RegOpenKeyExA
RegSetValueExA
RegCloseKey
RegOpenKeyExW

shell32

ShellExecuteW

ole32

CoInitializeEx
CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

SysAllocString
SysFreeString

Sections

.text
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

13d4ecb21ffd4b77a0608840e931a3df

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

shlwapi

urlmon

wininet

ntdll

msvcrt

kernel32

user32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 57KB - Virtual size: 57KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 5KB - Virtual size: 10KB

.text
Size: 57KB - Virtual size: 57KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 5KB - Virtual size: 10KB