phorphiex | 5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768b

General

Target

5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768bN.exe
Size

99KB
MD5

b0d70de99c47f381d6edeefce3f55f30
SHA1

5799909e2a4b9f4d75f5ac9255a52c47a048bdce
SHA256

5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768b
SHA512

1a0ea5b4e7460998c51f3e27a2cebd94f01c4e27ce47212070e2e68b309d6f2d9fcdb50403a502f643ced74765fe86aa2323529c118bcc09b11e793c24d74291
SSDEEP

1536:rKtU7VoIHCBk2GBKG/SDxHHfVNmiv2Kva6tMef3PtZ5OKJg/p6:rKtURRxBtsRqYvaIMWZ5OKJg/p6

Score

10^/10

phorphiex discovery loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c99-10.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2036	B69E.exe
2424	1797226850.exe
3872	sysnldcvmr.exe
2864	959228217.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	1797226850.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	1797226850.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	1797226850.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B69E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1797226850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	959228217.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2036	4804	5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768bN.exe	82
PID 4804 wrote to memory of 2036	4804	5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768bN.exe	82
PID 4804 wrote to memory of 2036	4804	5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768bN.exe	82
PID 2036 wrote to memory of 2424	2036	B69E.exe	83
PID 2036 wrote to memory of 2424	2036	B69E.exe	83
PID 2036 wrote to memory of 2424	2036	B69E.exe	83
PID 2424 wrote to memory of 3872	2424	1797226850.exe	86
PID 2424 wrote to memory of 3872	2424	1797226850.exe	86
PID 2424 wrote to memory of 3872	2424	1797226850.exe	86
PID 3872 wrote to memory of 2864	3872	sysnldcvmr.exe	92
PID 3872 wrote to memory of 2864	3872	sysnldcvmr.exe	92
PID 3872 wrote to memory of 2864	3872	sysnldcvmr.exe	92

C:\Users\Admin\AppData\Local\Temp\5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768bN.exe
"C:\Users\Admin\AppData\Local\Temp\5a7a41b408a2fa98605015866308fca1abcebd90d1b40554f841841cb7b2768bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\B69E.exe
  "C:\Users\Admin\AppData\Local\Temp\B69E.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\1797226850.exe
    C:\Users\Admin\AppData\Local\Temp\1797226850.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\959228217.exe
        
        C:\Users\Admin\AppData\Local\Temp\959228217.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1797226850.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\959228217.exe

Filesize
53KB

MD5
84897ca8c1aa06b33248956ac25ec20a

SHA1
544d5d5652069b3c5e7e29a1ca3eea46b227bbfe

SHA256
023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1

SHA512
c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\B69E.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads