phorphiex | 7a9e806b9ab83059465a45e4a5ef4027a551f433682e0e124f9ddde891c41321 | Triage

Resubmissions

23-10-2024 13:17

241023-qjq76asbla 10

23-10-2024 12:59

241023-p78lnstanq 10

Sharing

General

Target

sysbybt.rar
Size

209KB
Sample

241023-p78lnstanq
MD5

3559286d6f15cf3781646a538bddbb08
SHA1

64f1e80bac24c76b0348b66ad536ead31b227351
SHA256

7a9e806b9ab83059465a45e4a5ef4027a551f433682e0e124f9ddde891c41321
SHA512

fd36b9162ac38f8836330127adafceeceeb02c6db38c040a5857db8f0f716acaae7b8151907a80e72fb9bf00f970d77d6f1b7c34d4c354a8fa34c44b5fff070c
SSDEEP

3072:4z/dfTiqODl5bKyKnH78o7mfooZomIn9toyvkYfixbK8Kb4ywK8YncQ8O1wlla4:4xTiqYNhAQo7mfDa9to2Ux07QQKJ

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://b0t.to/

http://gshrghirhgsgrao.to/

http://hehfaofiehgggao.to/

http://soghrrsoeuhugao.to/

http://eiiiaoihoaeruao.to/

http://roiriorisioroao.to/

http://ouhgousgoahutao.to/

http://oeoaoueuoeuoaao.to/

http://aiaizzzezeezeao.to/

http://ouauooaoaoeeuao.to/

http://oeeoeuueueuueao.to/

http://eobbeaubfeuueao.to/

http://aauaaaeieiieeao.to/

http://aaaeieiiiofffao.to/

http://infineinfinigao.to/

http://baoefubfbfigoao.to/

http://aaauuwiifoogeao.to/

http://plporsiszsgetao.to/

http://gshrghirhgsgrla.co/

http://hehfaofiehgggla.co/

Wallets

1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh

qzgdgnfd805z83wpu04rhld0yqs4dlrd35ll0ltqql

Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i

D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M

0xa5228127395263575a4b4f532e4f132b14599d24

LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7

t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Targets

- Target
  
  sysbybt.exe
- Size
  
  480KB
- MD5
  
  3282f6c806a89359ec94f287cf6c699c
- SHA1
  
  c21f0c289d247a5b8cf2526d09d2d443a1068704
- SHA256
  
  64d187bed40d023e14d41b1a80d528f5c12dcf743fcb4de91530567d3244e09e
- SHA512
  
  88b3edd6865e4bb5ca2ba931c39f33ce0bc1363a694426115c489d85ee043ae28842785aafe1147fcc79d5c1644295794fa38c5a399fb4b27bc85327898f0185
- SSDEEP
  
  12288:8oNcRxBnd9Zf/Y0wZB64czrTRUIFUNCY+8HX:4Lnd9Zf/05cfyIFU/
Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

phorphiexdiscoveryevasionexecutionloaderpersistencetrojanworm

behavioral2

phorphiexdiscoveryevasionexecutionloaderpersistencetrojanworm