General
-
Target
2025-07-01_70c1c2023fe153a4353361eaa9c99984_akira_black-basta_cobalt-strike_coinminer_hijackloader_satacom_vidar
-
Size
3.9MB
-
Sample
250701-fcaaysskv7
-
MD5
70c1c2023fe153a4353361eaa9c99984
-
SHA1
2277451b1ecab1d48940b620c6717ba5d7435ae0
-
SHA256
b2989738994a25af78abc78466fafaf3f9e04549de3d91598442e7a0daeb20e8
-
SHA512
ce37db55038cdd54d4d9eff36ce51217d14bf97682c5b519efb6de7dd5549470e0724fc00ab0db2f14d7ebee58091efb0ac8615709634c9af296b56a5a575a80
-
SSDEEP
98304:LE4iAOVAzyXJJ4Jw7aKTKK4KKDyK5FZ1EEEEmEEE1EEEEEEEEEEElKK1KKK1KKK:LE4qVAzKJJ4JG
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-01_70c1c2023fe153a4353361eaa9c99984_akira_black-basta_cobalt-strike_coinminer_hijackloader_satacom_vidar.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-01_70c1c2023fe153a4353361eaa9c99984_akira_black-basta_cobalt-strike_coinminer_hijackloader_satacom_vidar.exe
Resource
win11-20250610-en
Malware Config
Extracted
phorphiex
http://185.156.72.39
Extracted
phorphiex
http://185.156.72.39/
http://45.141.233.6/
TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx
ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
l9n7b5f2r
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Targets
-
-
Target
2025-07-01_70c1c2023fe153a4353361eaa9c99984_akira_black-basta_cobalt-strike_coinminer_hijackloader_satacom_vidar
-
Size
3.9MB
-
MD5
70c1c2023fe153a4353361eaa9c99984
-
SHA1
2277451b1ecab1d48940b620c6717ba5d7435ae0
-
SHA256
b2989738994a25af78abc78466fafaf3f9e04549de3d91598442e7a0daeb20e8
-
SHA512
ce37db55038cdd54d4d9eff36ce51217d14bf97682c5b519efb6de7dd5549470e0724fc00ab0db2f14d7ebee58091efb0ac8615709634c9af296b56a5a575a80
-
SSDEEP
98304:LE4iAOVAzyXJJ4Jw7aKTKK4KKDyK5FZ1EEEEmEEE1EEEEEEEEEEElKK1KKK1KKK:LE4qVAzKJJ4JG
-
Phorphiex family
-
Phorphiex payload
-
Xmrig family
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1