General

  • Target

    2025-05-12_7703ed73998a1dbd4fc5456f75dbb1e0_black-basta_cobalt-strike_coinminer_hijackloader_satacom

  • Size

    5.0MB

  • Sample

    250512-x7mm7sgk4w

  • MD5

    7703ed73998a1dbd4fc5456f75dbb1e0

  • SHA1

    8c4c1c01b1a53d6c7c1febcbe54f871036439d55

  • SHA256

    d5e7abaed1f34eb1694597bcf1fd7e32522b0e6ac8522d3ae273d493478c4d2b

  • SHA512

    c043386fe71dc9244a1f08692eb60e91d283c3ad5baa39d841c4d155aad6cb53c0585da6c14673c1cc6b582c04a8767c19f1af03c163409bbf6d690eb83781b0

  • SSDEEP

    49152:hOjPWHQ4kEMmU+SPcivWhQ8kTAA2Z8b4cF8y7Rzb5Q1fRL77Ldrv+ZiI7ID5qNWi:Qx+/SAA1FvYfMWtAZ/xwRb/J

Malware Config

Extracted

Family

phorphiex

C2

http://185.156.72.39/

http://45.141.233.6/

Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes
  • mutex

    l9n7b5f2r

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://185.156.72.39

185.156.72.39

Targets

    • Target

      2025-05-12_7703ed73998a1dbd4fc5456f75dbb1e0_black-basta_cobalt-strike_coinminer_hijackloader_satacom

    • Size

      5.0MB

    • MD5

      7703ed73998a1dbd4fc5456f75dbb1e0

    • SHA1

      8c4c1c01b1a53d6c7c1febcbe54f871036439d55

    • SHA256

      d5e7abaed1f34eb1694597bcf1fd7e32522b0e6ac8522d3ae273d493478c4d2b

    • SHA512

      c043386fe71dc9244a1f08692eb60e91d283c3ad5baa39d841c4d155aad6cb53c0585da6c14673c1cc6b582c04a8767c19f1af03c163409bbf6d690eb83781b0

    • SSDEEP

      49152:hOjPWHQ4kEMmU+SPcivWhQ8kTAA2Z8b4cF8y7Rzb5Q1fRL77Ldrv+ZiI7ID5qNWi:Qx+/SAA1FvYfMWtAZ/xwRb/J

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Network Service Discovery

      Attempt to gather information on host's network.

MITRE ATT&CK Enterprise v16

Tasks