phorphiex | b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3

General

Target

2024-10-26_f12e2945773ae0c18f91290049709f5e_avoslocker_revil
Size

4.5MB
Sample

241026-n1d8taveqr
MD5

f12e2945773ae0c18f91290049709f5e
SHA1

d835e55adf3e466e4ef41dfb5ff06670368c8ad7
SHA256

b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3
SHA512

9b0197710f9df9cbd8f4ba992d7a4276deb6600223a351f45d871e98835d2fb9072497baee7da9c456fff1a1977db45a148c0da7f24504c22c89c9946358fd72
SSDEEP

98304:HNuGxoPVmxTtDX+p4qo4iHM6OKWR6CpPcZ8wRhIybxj5t8PGXoQ1dVjJ:HRePVmxTtDX+OhlHhOts8wRh9bJQq1dt

Score

10^/10

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://185.215.113.84

Targets

- Target
  
  2024-10-26_f12e2945773ae0c18f91290049709f5e_avoslocker_revil
- Size
  
  4.5MB
- MD5
  
  f12e2945773ae0c18f91290049709f5e
- SHA1
  
  d835e55adf3e466e4ef41dfb5ff06670368c8ad7
- SHA256
  
  b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3
- SHA512
  
  9b0197710f9df9cbd8f4ba992d7a4276deb6600223a351f45d871e98835d2fb9072497baee7da9c456fff1a1977db45a148c0da7f24504c22c89c9946358fd72
- SSDEEP
  
  98304:HNuGxoPVmxTtDX+p4qo4iHM6OKWR6CpPcZ8wRhIybxj5t8PGXoQ1dVjJ:HRePVmxTtDX+OhlHhOts8wRh9bJQq1dt
Score

10^/10

phorphiex discovery evasion execution loader persistence spyware stealer trojan worm xmrig miner
- Modifies security service
  evasion
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2