phorphiex | 3a43c6041de9b1e8f5c317c97b61cfd058e9709f811b1a77f280e0687913355a

General

Target

2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe
Size

202KB
MD5

abf69b35a1d70c5419e0f3319a66e4f5
SHA1

5e74b6aeee6e8b2967475de31b558afa3019c51a
SHA256

3a43c6041de9b1e8f5c317c97b61cfd058e9709f811b1a77f280e0687913355a
SHA512

a66fef53d03c8b9a6a931644847597ccacaac08302a5a208698f60727d443f67b59c49c9a584d971d69fd0054df5bd208f7bc37bc4274989f6f1d800224fa6ec
SSDEEP

3072:5ie6EHcj8tVyZB4U55PAFJJoU10fbCN9OEM50T5/s9s:ke6EX/yf5idog0DC3Sg

Score

10^/10

phorphiex discovery loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://twizt.net

http://45.93.20.18

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://45.93.20.18/

Wallets

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0xCa90599132C4D88907Bd8E046540284aa468a035

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
k9ubbn6sdfs
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001471c-10.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 2 IoCs

flow	pid	Process
7	2700	589B.exe
3	3044	2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe

Executes dropped EXE 4 IoCs

pid	Process
2700	589B.exe
2672	1362621125.exe
2028	sysldrvcs.exe
2328	1190227876.exe

Loads dropped DLL 4 IoCs

pid	Process
3044	2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe
2700	589B.exe
2700	589B.exe
2028	sysldrvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysldrvcs.exe"	1362621125.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysldrvcs.exe	1362621125.exe
File opened for modification	C:\Windows\sysldrvcs.exe	1362621125.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	589B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1362621125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysldrvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1190227876.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2700	3044	2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe	28
PID 3044 wrote to memory of 2700	3044	2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe	28
PID 3044 wrote to memory of 2700	3044	2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe	28
PID 3044 wrote to memory of 2700	3044	2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe	28
PID 2700 wrote to memory of 2672	2700	589B.exe	30
PID 2700 wrote to memory of 2672	2700	589B.exe	30
PID 2700 wrote to memory of 2672	2700	589B.exe	30
PID 2700 wrote to memory of 2672	2700	589B.exe	30
PID 2672 wrote to memory of 2028	2672	1362621125.exe	31
PID 2672 wrote to memory of 2028	2672	1362621125.exe	31
PID 2672 wrote to memory of 2028	2672	1362621125.exe	31
PID 2672 wrote to memory of 2028	2672	1362621125.exe	31
PID 2028 wrote to memory of 2328	2028	sysldrvcs.exe	36
PID 2028 wrote to memory of 2328	2028	sysldrvcs.exe	36
PID 2028 wrote to memory of 2328	2028	sysldrvcs.exe	36
PID 2028 wrote to memory of 2328	2028	sysldrvcs.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-25_abf69b35a1d70c5419e0f3319a66e4f5_mafia_rhadamanthys.exe"
1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\589B.exe
  "C:\Users\Admin\AppData\Local\Temp\589B.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\1362621125.exe
    C:\Users\Admin\AppData\Local\Temp\1362621125.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\sysldrvcs.exe
      C:\Windows\sysldrvcs.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\1190227876.exe
        
        C:\Users\Admin\AppData\Local\Temp\1190227876.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1190227876.exe

Filesize
19KB

MD5
9adb4c4939743d5f3e670b4d783d38e5

SHA1
7c989249b99b82def352f66bc97d9403fd6e653b

SHA256
be502d8d90235a3c317e97cacb55b0eb5ec2aa8c50a582ec6f0527d08e99a759

SHA512
7573981af4fc4845e4af61067e4620b92aace90b4ac218a14920dc6f93bddafac92a8f7b02c61f3d41b42ba9f1aabbea3c215dc439da3e9c9dc68060c9a53ac1

Download Submit
\Users\Admin\AppData\Local\Temp\1362621125.exe

Filesize
101KB

MD5
8a30adfbb8c9ed8170177ce8c5738fbf

SHA1
2d029ddd39fe81a08982dd4309a74045aa91004f

SHA256
72b19310a8c3cdfc23be1041eb773e6e41a08ec608e53b027b32e05a275b1da9

SHA512
8885308b53b8d1baab14a98ec257acac9c700f2cebe48cbb79a25e3d7133f0016ba082ec9f8397c9b1677375dd5a1d3894d813aba5947f267b44b012fa6a027f

Download Submit
\Users\Admin\AppData\Local\Temp\589B.exe

Filesize
10KB

MD5
21789ebcbfca1eb0c6881e6af6216a81

SHA1
30152ddbe1150a2a612eb7b08e6551830276c8f0

SHA256
c0d12405d2a5cd6064e6e498d6f5f7fd48c72b2d02f171f20f898a4d2832968c

SHA512
cf3296247865130e4e769f09280d5f15237bedf474734f7b383130dfd01c5407a081e3f571152c393845b08d8ed48a0b2d23d11e905783332fb2552d20ad4514

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads