Extracted

• • Target

    fdbf0c19ebcafcf5e4295edc9e4a37836ba580b9a4d63b2a9ccdf8418ed5fe84

  • Size

    10KB

  • MD5

    82894caeb7e149bb38d344fbc2a821d9

  • SHA1

    bf86bd33666e58f291bc9135a95f67a7483cde52

  • SHA256

    fdbf0c19ebcafcf5e4295edc9e4a37836ba580b9a4d63b2a9ccdf8418ed5fe84

  • SHA512

    fff4b4e8f5d03f6dea5cffc58e59455362269410cb48ce5a2ced621f8489e01bfddd0f99d32b181186fe63ff64c1aa0172b735c008018dba61119143b5e9ddf3

  • SSDEEP

    192:4luii0852nhe8D9+6X/2X1JxTh3thW8yV:4lTdu2nhpsiuFV32V

  Score

  10^/10

  phorphiexxmrigdiscoveryexecutionloaderminerpersistencespywarestealertrojanworm

  • Phorphiex family

    phorphiex

  • Phorphiex payload

  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xmrig family

    xmrig

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2