General

  • Target

    SecuriteInfo.com.Win32.HLLW.Phorpiex.1488.31170.10322.exe

  • Size

    84KB

  • Sample

    250505-prs62sdp5t

  • MD5

    8cc0e158c7814f38aa7dcce43e4b5d26

  • SHA1

    318303604ac2de7cc1438caa9b2348f5475df99b

  • SHA256

    90766ad30dff5ae4857baa08ecc6bbc137fe1409234444ad8383e2742d60950f

  • SHA512

    4cd2fb525326f726ae0000c4227ed4ad9154a922f8bc4cc607668ec5cff28afcdff0a28adf94cbbbb06662f89153b1ce4a9a4d3a4bbe268e216f8e931e7857da

  • SSDEEP

    1536:2nlZChFmav82Sd1P6MBr5xDRBj26z6mBmND:OzvOKd1P6CxDXK6WVND

Malware Config

Extracted

Family

phorphiex

C2

http://185.156.72.39/

http://185.215.113.66/

Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes
  • mutex

    h7g5df54sdf

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://185.156.72.39

185.156.72.39

Targets

    • Target

      SecuriteInfo.com.Win32.HLLW.Phorpiex.1488.31170.10322.exe

    • Size

      84KB

    • MD5

      8cc0e158c7814f38aa7dcce43e4b5d26

    • SHA1

      318303604ac2de7cc1438caa9b2348f5475df99b

    • SHA256

      90766ad30dff5ae4857baa08ecc6bbc137fe1409234444ad8383e2742d60950f

    • SHA512

      4cd2fb525326f726ae0000c4227ed4ad9154a922f8bc4cc607668ec5cff28afcdff0a28adf94cbbbb06662f89153b1ce4a9a4d3a4bbe268e216f8e931e7857da

    • SSDEEP

      1536:2nlZChFmav82Sd1P6MBr5xDRBj26z6mBmND:OzvOKd1P6CxDXK6WVND

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks