General

  • Target

    ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7

  • Size

    618KB

  • Sample

    241204-y6pa3szjhx

  • MD5

    cd3237b1e648d31b8761196b6c64da8a

  • SHA1

    2e677b7cafc3a8ee1696dddf38b176191d256559

  • SHA256

    ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7

  • SHA512

    d71338a7de6f1859edcbbd9ed0a32430e0561f8ae91883c62e6fbc4bc2d082ebd1d538312ef42543385c514ced0166c552fe211debf783f0deae82530045e4d7

  • SSDEEP

    12288:QmKt6DsU6ngc3kY+KC5gzwGKZ4cuQW8XQAL019bqoFARwpVp:QR8Y+sxYWkX019bqgWwpVp

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes
  • mutex

    753f85d83d

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://twizt.net

http://185.215.113.84

Targets

    • Target

      ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7

    • Size

      618KB

    • MD5

      cd3237b1e648d31b8761196b6c64da8a

    • SHA1

      2e677b7cafc3a8ee1696dddf38b176191d256559

    • SHA256

      ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7

    • SHA512

      d71338a7de6f1859edcbbd9ed0a32430e0561f8ae91883c62e6fbc4bc2d082ebd1d538312ef42543385c514ced0166c552fe211debf783f0deae82530045e4d7

    • SSDEEP

      12288:QmKt6DsU6ngc3kY+KC5gzwGKZ4cuQW8XQAL019bqoFARwpVp:QR8Y+sxYWkX019bqgWwpVp

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks