Overview

overview

10

Static

static

3

2025-05-07...om.exe

windows10-2004-x64

10

2025-05-07...om.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-05-07_68f612d4829e597f330e6e945d8d0502_black-basta_cobalt-strike_hijackloader_satacom

  • Size

    276KB

  • Sample

    250507-lvpfgssqw6

  • MD5

    68f612d4829e597f330e6e945d8d0502

  • SHA1

    2e04db3579bf4926cc4afc5dfb62549c86756f88

  • SHA256

    2ed7f1d2a5618b3a5a44e080470f5b1c0fdc9f29c04e3871503315bc230cc631

  • SHA512

    362676a3565aa9d7079a2e7367848c923fc2afd99d7190c6476bbfd1ab9ef8bf41f726f85933ce3aec00ac060aede053f7d1396f44c24b9514a8071619db3a92

  • SSDEEP

    3072:Kho6+jFymdDe9MCrQE3t3nEHlJ8aLW/qPkbhKXAVpm5PVzKbuAs0FNmhMn+IhNgZ:KGBjFymdDe9/rQE3qlxoON1vYl

Score
10/10
phorphiexdefense_evasiondiscoveryexecutionloaderpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.156.72.39/

http://185.215.113.66/
Wallets

TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx

ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
Attributes
  • mutex

    h7g5df54sdf

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://185.156.72.39

185.156.72.39

Targets

    • Target

      2025-05-07_68f612d4829e597f330e6e945d8d0502_black-basta_cobalt-strike_hijackloader_satacom

    • Size

      276KB

    • MD5

      68f612d4829e597f330e6e945d8d0502

    • SHA1

      2e04db3579bf4926cc4afc5dfb62549c86756f88

    • SHA256

      2ed7f1d2a5618b3a5a44e080470f5b1c0fdc9f29c04e3871503315bc230cc631

    • SHA512

      362676a3565aa9d7079a2e7367848c923fc2afd99d7190c6476bbfd1ab9ef8bf41f726f85933ce3aec00ac060aede053f7d1396f44c24b9514a8071619db3a92

    • SSDEEP

      3072:Kho6+jFymdDe9MCrQE3t3nEHlJ8aLW/qPkbhKXAVpm5PVzKbuAs0FNmhMn+IhNgZ:KGBjFymdDe9/rQE3qlxoON1vYl

    Score
    10/10
    phorphiexdefense_evasiondiscoveryexecutionloaderpersistencespywarestealertrojanworm

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Downloads MZ/PE file

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

OSZAR »