phorphiex | 7b156470879a855d50e141919c3e03b107ff64dbda7709b2dbeeefea8c09762c

General

Target

2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe
Size

10.2MB
MD5

bce4c9fffc43e2281706631744d6cced
SHA1

c877c71a499e9e7521b28d54561ca61664e761da
SHA256

7b156470879a855d50e141919c3e03b107ff64dbda7709b2dbeeefea8c09762c
SHA512

469d31956e2cdcd69a6aa63dbed5c9e5a9914c55299913eac92960c9faacef339e2d7bb729ce70d1e9d797e77fa893aae376314e31ffd478c685cce7aed8aa7f
SSDEEP

196608:/3FY0NuFehMgTctuuYPHOs79Jbp0xtJ62LtAAnAcErVs5uopx+mOb:/3FBNUycM7REJ62JnarV0lx+b

Score

10^/10

phorphiex discovery loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://185.39.17.124/

Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
x5x7x2x9x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000242f2-25.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 2 IoCs

flow	pid	Process
22	2104	8194.exe
3	5656	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe

Executes dropped EXE 5 IoCs

pid	Process
2104	8194.exe
3100	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe
4800	120358316.exe
5748	sysldrvsn.exe
2056	sysldrvsn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysldrvsn.exe"	120358316.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysldrvsn.exe	120358316.exe
File opened for modification	C:\Windows\sysldrvsn.exe	120358316.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	120358316.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysldrvsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8194.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5656 wrote to memory of 2104	5656	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe	88
PID 5656 wrote to memory of 2104	5656	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe	88
PID 5656 wrote to memory of 2104	5656	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe	88
PID 5656 wrote to memory of 3100	5656	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe	89
PID 5656 wrote to memory of 3100	5656	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe	89
PID 5656 wrote to memory of 3100	5656	2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe	89
PID 2104 wrote to memory of 4800	2104	8194.exe	97
PID 2104 wrote to memory of 4800	2104	8194.exe	97
PID 2104 wrote to memory of 4800	2104	8194.exe	97
PID 4800 wrote to memory of 5748	4800	120358316.exe	99
PID 4800 wrote to memory of 5748	4800	120358316.exe	99
PID 4800 wrote to memory of 5748	4800	120358316.exe	99
PID 5380 wrote to memory of 2056	5380	cmd.exe	101
PID 5380 wrote to memory of 2056	5380	cmd.exe	101
PID 5380 wrote to memory of 2056	5380	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5656
- C:\Users\Admin\AppData\Local\Temp\8194.exe
  "C:\Users\Admin\AppData\Local\Temp\8194.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\120358316.exe
    C:\Users\Admin\AppData\Local\Temp\120358316.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\sysldrvsn.exe
      C:\Windows\sysldrvsn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5748
- C:\Users\Admin\AppData\Local\Temp\eset\bts.session\25561514-beb9-4d43-9b81-9f6dad589d56\2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\25561514-beb9-4d43-9b81-9f6dad589d56\2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe" --bts-container 5656 "C:\Users\Admin\AppData\Local\Temp\2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\sysldrvsn.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5380
- C:\Windows\sysldrvsn.exe
  C:\Windows\sysldrvsn.exe
  2⤵
  - Executes dropped EXE
  PID:2056

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\120358316.exe

Filesize
79KB

MD5
00306e1e4a4230f9dc6b626a68dcbbb0

SHA1
1d71fc3b6a308396c8f03bdc0ee012b44d7782e9

SHA256
8133c11eeec328b9995eec62438ecd87535d540f320beab4642d032661e448b2

SHA512
6899d3bac0cf0b493e0f4e85700a40f6ebc433c8319f746e803a948fe9715f00682adb09f967e9a02e6e4bffa020083d12192e1e375fa82a4a648ba28b3d6af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8194.exe

Filesize
10KB

MD5
21789ebcbfca1eb0c6881e6af6216a81

SHA1
30152ddbe1150a2a612eb7b08e6551830276c8f0

SHA256
c0d12405d2a5cd6064e6e498d6f5f7fd48c72b2d02f171f20f898a4d2832968c

SHA512
cf3296247865130e4e769f09280d5f15237bedf474734f7b383130dfd01c5407a081e3f571152c393845b08d8ed48a0b2d23d11e905783332fb2552d20ad4514

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\25561514-beb9-4d43-9b81-9f6dad589d56\2025-04-14_bce4c9fffc43e2281706631744d6cced_black-basta_elex_hijackloader_luca-stealer.exe

Filesize
2.4MB

MD5
e042423b19d722d147b8941df2d6e7d4

SHA1
9d93c7a59f23b6f7c96286b102588348b913da72

SHA256
b827cdc99d7c6a7fe5dde679b058c6d9ffc500bacc206f4666034555b1dac140

SHA512
cc205539a4481c98de79ff787cc7fc0bade3eebe104c0a9a11dfad2717f32ec76e43140e0e3aa044452aea69352fa4bff9f7a70f2dc0ea75e60073e6a8df7d56

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads