General

  • Target

    2025-05-12_5863e6739751eaeefd95b0a5ba6259be_amadey_black-basta_darkgate_elex_luca-stealer_revil

  • Size

    2.9MB

  • Sample

    250512-e7skcaen5w

  • MD5

    5863e6739751eaeefd95b0a5ba6259be

  • SHA1

    28f3b31fbe70d056bb5db9b0303908ef251f8ed9

  • SHA256

    a42bd2b397f819557c47f9f50b9a4fc5e8072a510b541553c00f62574e79da6a

  • SHA512

    1c9b6ca7e325c7e29b74b09276d8b3ab02f985b9c80eef5162e5067ca643560ee0b080b70ec26fda6215fe7939453c797c6e8ea369eca16969d3261a71197353

  • SSDEEP

    49152:Del2rGTTSGhbwxkX6tH6ZVcXDF86wEdW2qqDjjvryeK+Fg86yInDi7fioDhVAVlq:Br5qkfsZUDFtwUBDXvryUYU

Malware Config

Extracted

Family

phorphiex

C2

http://185.156.72.39/

http://45.141.233.6/

Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes
  • mutex

    l9n7b5f2r

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://185.156.72.39

185.156.72.39

Targets

    • Target

      2025-05-12_5863e6739751eaeefd95b0a5ba6259be_amadey_black-basta_darkgate_elex_luca-stealer_revil

    • Size

      2.9MB

    • MD5

      5863e6739751eaeefd95b0a5ba6259be

    • SHA1

      28f3b31fbe70d056bb5db9b0303908ef251f8ed9

    • SHA256

      a42bd2b397f819557c47f9f50b9a4fc5e8072a510b541553c00f62574e79da6a

    • SHA512

      1c9b6ca7e325c7e29b74b09276d8b3ab02f985b9c80eef5162e5067ca643560ee0b080b70ec26fda6215fe7939453c797c6e8ea369eca16969d3261a71197353

    • SSDEEP

      49152:Del2rGTTSGhbwxkX6tH6ZVcXDF86wEdW2qqDjjvryeK+Fg86yInDi7fioDhVAVlq:Br5qkfsZUDFtwUBDXvryUYU

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks