phorphiex | f71a60f5e72e725d5dcda6bab40d53fb9ad881fb83bb9395d66c889f2d5669e4

General

Target

2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe
Size

1002KB
MD5

7b9ebbb65e14348f8cdfe321d8de3336
SHA1

8f30dc1523b13b427a73bfef8ffeecead91ba9c8
SHA256

f71a60f5e72e725d5dcda6bab40d53fb9ad881fb83bb9395d66c889f2d5669e4
SHA512

18438dab380d0fc7f238d49fb6f3fa4cb6507c82cc3039c874730cac89d1ca6425c542eefbac979c636848d7081753d865e4b21dd4f71c9c377f97a53274cb30
SSDEEP

12288:lr0UR9h0BN3J05wRWGBgbib5J79QvjlDjMzVkpSHNl2J:lr0URPEJ0sg+9kqVkpSHeJ

Score

10^/10

phorphiex defense_evasion discovery loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://45.93.20.18/

Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
kl8efyru3
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000024260-105.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 2 IoCs

flow	pid	Process
28	1884	8731.exe
1	5112	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe

Executes dropped EXE 4 IoCs

pid	Process
1884	8731.exe
452	1278913215.exe
2616	sysldsvp.exe
4788	sysldsvp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysldsvp.exe"	1278913215.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysldsvp.exe	1278913215.exe
File opened for modification	C:\Windows\sysldsvp.exe	1278913215.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1278913215.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysldsvp.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5112	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1884	5112	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe	88
PID 5112 wrote to memory of 1884	5112	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe	88
PID 5112 wrote to memory of 1884	5112	2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe	88
PID 1884 wrote to memory of 452	1884	8731.exe	90
PID 1884 wrote to memory of 452	1884	8731.exe	90
PID 1884 wrote to memory of 452	1884	8731.exe	90
PID 452 wrote to memory of 2616	452	1278913215.exe	92
PID 452 wrote to memory of 2616	452	1278913215.exe	92
PID 452 wrote to memory of 2616	452	1278913215.exe	92
PID 3468 wrote to memory of 4788	3468	cmd.exe	94
PID 3468 wrote to memory of 4788	3468	cmd.exe	94
PID 3468 wrote to memory of 4788	3468	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-13_7b9ebbb65e14348f8cdfe321d8de3336_amadey_elex_smoke-loader.exe"
1⤵
- Downloads MZ/PE file
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\8731.exe
  "C:\Users\Admin\AppData\Local\Temp\8731.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\1278913215.exe
    C:\Users\Admin\AppData\Local\Temp\1278913215.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\sysldsvp.exe
      C:\Windows\sysldsvp.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\sysldsvp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\sysldsvp.exe
  C:\Windows\sysldsvp.exe
  2⤵
  - Executes dropped EXE
  PID:4788

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1278913215.exe

Filesize
77KB

MD5
aad6256db1d77092b8aa4a34d562ed74

SHA1
d38639790659cfe9282a74aaadf0c273fa5bdb2b

SHA256
824fc258693bdd485e611fb4ac804af96c2dab12a025ed0b7ed2daebe2e6e0f9

SHA512
1950e25d089d559790b5b477f4308ec5322e1a3d9fff0a9d691905fb8d76d4ac90cb64e53b4b2c971617dc17f928a9785804c01bc73bfa3dd844c0484b2e609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8731.exe

Filesize
10KB

MD5
21789ebcbfca1eb0c6881e6af6216a81

SHA1
30152ddbe1150a2a612eb7b08e6551830276c8f0

SHA256
c0d12405d2a5cd6064e6e498d6f5f7fd48c72b2d02f171f20f898a4d2832968c

SHA512
cf3296247865130e4e769f09280d5f15237bedf474734f7b383130dfd01c5407a081e3f571152c393845b08d8ed48a0b2d23d11e905783332fb2552d20ad4514

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
185KB

MD5
02a2c53bd88849d635e985274c7ca2ef

SHA1
b229a28dfaf7fd1cd5fda4c9cab5828027d509ce

SHA256
fd8fa0a723aad8c6f74e05662bb3962a11f16acb13195cf73ea330100a90144e

SHA512
e656eb3fe2a436d4cfb5cdaa2de1a5af18acb53e28b74f5f67ac44d95766c42827042da5ea800b67d271452a3151df14f9c5e4a1aeb7a8f6ac0be638b517b78b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads