Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
-
submitted
14/04/2025, 23:38
General
-
Target
2025-04-14_d253ec7aa6372a86839af0c6240ea009_amadey_black-basta_elex_luca-stealer.exe
-
Size
2.5MB
-
MD5
d253ec7aa6372a86839af0c6240ea009
-
SHA1
38928483d5a187256a9a35e76d568adb94205cba
-
SHA256
3df6732e54e92bd18126f2d4e93180bcccd4b43aa001a468426c087305244aaa
-
SHA512
c2e264e10932808b89ba98d210f95210863d6597829b211e657a17c3cd484db7c8fc7c71c1bbfa59ddfc7ac40aff169abb1d06c175b3b3f699bac686816c897f
-
SSDEEP
49152:NE8I6oEK7uzgRTvnFjStQyfvE0Z3R0nxiIq2dseYGVX:NE8IjzuzgFt7KtQRq23X
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://185.39.17.124/
TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx
ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
-
mutex
x5x7x2x9x
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Signatures
-
Phorphiex family
-
Phorphiex payload 1 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Downloads MZ/PE file 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-14_d253ec7aa6372a86839af0c6240ea009_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-14_d253ec7aa6372a86839af0c6240ea009_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8107.exe"C:\Users\Admin\AppData\Local\Temp\8107.exe"2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\256288062.exeC:\Users\Admin\AppData\Local\Temp\256288062.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysldrvsn.exeC:\Windows\sysldrvsn.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\sysldrvsn.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysldrvsn.exeC:\Windows\sysldrvsn.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD500306e1e4a4230f9dc6b626a68dcbbb0
SHA11d71fc3b6a308396c8f03bdc0ee012b44d7782e9
SHA2568133c11eeec328b9995eec62438ecd87535d540f320beab4642d032661e448b2
SHA5126899d3bac0cf0b493e0f4e85700a40f6ebc433c8319f746e803a948fe9715f00682adb09f967e9a02e6e4bffa020083d12192e1e375fa82a4a648ba28b3d6af9
-
Filesize
10KB
MD521789ebcbfca1eb0c6881e6af6216a81
SHA130152ddbe1150a2a612eb7b08e6551830276c8f0
SHA256c0d12405d2a5cd6064e6e498d6f5f7fd48c72b2d02f171f20f898a4d2832968c
SHA512cf3296247865130e4e769f09280d5f15237bedf474734f7b383130dfd01c5407a081e3f571152c393845b08d8ed48a0b2d23d11e905783332fb2552d20ad4514