Overview

overview

10

Static

static

3

ea8206a149...92.exe

windows7-x64

10

ea8206a149...92.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea8206a1499040130f6c075be720c5742aaa770dfaa4b1a59642de82c9cc4792

  • Size

    58KB

  • Sample

    250207-g9lkxstnbj

  • MD5

    a62d2e705d1a32b0829ade8fde56cf98

  • SHA1

    0f0ff6b268c07ced1b4988fb531251286621c711

  • SHA256

    ea8206a1499040130f6c075be720c5742aaa770dfaa4b1a59642de82c9cc4792

  • SHA512

    8cd6d582acacac27352573916bc5f14f035579495377f5858f5d87a16c755047a0ea89aeaaed3b2ae27c97ba8fc48775c394e1492a0da0ff6fa6312476d18c29

  • SSDEEP

    768:M/05iRcdYFtVM1qUQuvc9HzSHUSUuOOXv8s3i6E5nXfUWPYfIc/Qi3qEBQpfCMP:M88OoVM1q8ewf1OO53i6EBXlLOUp6M

Score
10/10
phorphiexdefense_evasiondiscoveryexecutionloaderpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/
Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
Attributes
  • mutex

    753f85d83d

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://185.215.113.66

185.215.113.66

Targets

    • Target

      ea8206a1499040130f6c075be720c5742aaa770dfaa4b1a59642de82c9cc4792

    • Size

      58KB

    • MD5

      a62d2e705d1a32b0829ade8fde56cf98

    • SHA1

      0f0ff6b268c07ced1b4988fb531251286621c711

    • SHA256

      ea8206a1499040130f6c075be720c5742aaa770dfaa4b1a59642de82c9cc4792

    • SHA512

      8cd6d582acacac27352573916bc5f14f035579495377f5858f5d87a16c755047a0ea89aeaaed3b2ae27c97ba8fc48775c394e1492a0da0ff6fa6312476d18c29

    • SSDEEP

      768:M/05iRcdYFtVM1qUQuvc9HzSHUSUuOOXv8s3i6E5nXfUWPYfIc/Qi3qEBQpfCMP:M88OoVM1q8ewf1OO53i6EBXlLOUp6M

    Score
    10/10
    phorphiexdiscoveryloaderpersistencespywarestealertrojanwormdefense_evasionexecution

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Downloads MZ/PE file

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks