phorphiex | 0d959fc5cf64bfda22df007fbd93d9189c1b0cf2eff621192144bb71a680467b | Triage

Submit
Reports

Overview

overview

Static

static

3

2025-05-19...om.exe

windows10-2004-x64

2025-05-19...om.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

2025-05-19_aa4dfc0e3c12dda0472b859129a0da82_black-basta_cobalt-strike_hijackloader_satacom
Size

3.6MB
Sample

250519-2yey8a1l15
MD5

aa4dfc0e3c12dda0472b859129a0da82
SHA1

4a076f101a4f9ab7dda56322923e0c2ac62a90cc
SHA256

0d959fc5cf64bfda22df007fbd93d9189c1b0cf2eff621192144bb71a680467b
SHA512

09c5d03f4e186a41c3b963f1ae790e83265e982558391553b8440015209de1e560ca6864f7df50110ee294507ad7bd4a1df8fa640446b0a883cd90d208bef3cc
SSDEEP

49152:R07ABNrf2SU0KSIp2yv8oOEfed2RMCQC8nXc5EikzXztCfU0yutc7EdbbHOMMKlS:R08yNFfO/nXc5Xk3t+Jb75MKpm

Score

10^/10

phorphiex xmrig defense_evasion discovery execution loader miner persistence trojan upx worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2025-05-19_aa4dfc0e3c12dda0472b859129a0da82_black-basta_cobalt-strike_hijackloader_satacom.exe

Resource

win10v2004-20250502-en

phorphiex xmrig defense_evasion discovery execution loader miner persistence trojan upx worm

windows10-2004-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

2025-05-19_aa4dfc0e3c12dda0472b859129a0da82_black-basta_cobalt-strike_hijackloader_satacom.exe

Resource

win11-20250502-en

phorphiex discovery loader persistence trojan worm

windows11-21h2-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

phorphiex

C2

http://185.156.72.39

Extracted

Family

phorphiex

C2

http://185.156.72.39/

http://45.141.233.6/

Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

Attributes

mutex
l9n7b5f2r
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Targets

- Target
  
  2025-05-19_aa4dfc0e3c12dda0472b859129a0da82_black-basta_cobalt-strike_hijackloader_satacom
- Size
  
  3.6MB
- MD5
  
  aa4dfc0e3c12dda0472b859129a0da82
- SHA1
  
  4a076f101a4f9ab7dda56322923e0c2ac62a90cc
- SHA256
  
  0d959fc5cf64bfda22df007fbd93d9189c1b0cf2eff621192144bb71a680467b
- SHA512
  
  09c5d03f4e186a41c3b963f1ae790e83265e982558391553b8440015209de1e560ca6864f7df50110ee294507ad7bd4a1df8fa640446b0a883cd90d208bef3cc
- SSDEEP
  
  49152:R07ABNrf2SU0KSIp2yv8oOEfed2RMCQC8nXc5EikzXztCfU0yutc7EdbbHOMMKlS:R08yNFfO/nXc5Xk3t+Jb75MKpm
Score

10^/10

phorphiex xmrig defense_evasion discovery execution loader miner persistence trojan upx worm
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  defense_evasion execution
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

phorphiexxmrigdefense_evasiondiscoveryexecutionloaderminerpersistencetrojanupxworm

behavioral2

phorphiexdiscoveryloaderpersistencetrojanworm

© 2018-2025

Terms | Privacy