phorphiex | 2840a81e534aa9badebe491f4e4a860a137f8eeb6f70e51c6262d832c5f576eb

General

Target

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.zip
Size

4KB
Sample

241118-rbsxfsxpb1
MD5

acdd529caa0275c64931ac2796e61f0f
SHA1

c40c28e55cc9597a8cfcff327eafc4fbc352261a
SHA256

2840a81e534aa9badebe491f4e4a860a137f8eeb6f70e51c6262d832c5f576eb
SHA512

86942d3666e58564990ea179e89d4f2e6066c227ee6c8ad2c7f73f02d05b093c04f3e8f4e9cf26435fbef7efa8aeee6cbfd56d73ed4a6a09ffe65dfea7da9ad1
SSDEEP

96:v+dd3RBTeK462K1bz2jldHF4YwYRIzN7oUekf2p8uxrQkSaHPuIqBJwM7+d:KNRVl2PjlddTR9oY8ySavuIqng

Score

10^/10

Malware Config

Extracted

Family

redline

C2

38.180.72.54:42814

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Family

redline

Botnet

newbundle2

C2

185.215.113.67:15206

Targets

- Target
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

phorphiex redline wannacry xmrig newbundle2 defense_evasion discovery evasion execution infostealer loader miner ransomware themida trojan upx worm
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1