BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Phorpiex

40
Global rank
31 infographic chevron month
Month rank
36 infographic chevron week
Week rank
6378
IOCs

Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.

Botnet
Type
Unknown
Origin
1 August, 2016
First seen
15 July, 2024
Last seen
Also known as
Trik

How to analyze Phorpiex with ANY.RUN

Type
Unknown
Origin
1 August, 2016
First seen
15 July, 2024
Last seen

IOCs

IP addresses
173.231.184.122
173.231.184.124
199.21.76.81
72.5.161.12
63.251.126.10
72.26.218.86
37.254.198.8
66.79.104.155
185.68.20.67
5.77.178.216
46.100.181.186
217.12.85.22
213.230.69.229
200.93.73.250
42.248.183.116
154.65.129.46
42.248.182.124
37.144.204.226
5.239.159.10
188.253.34.178
Hashes
2d78656550bb256779b9cadbf5970b5b9b097e600bb6d00bd91775c1eef84609
c3ed9d83879ea62ba9225a86c1b6870eff31c0ddf15ffff2448c3b96a304fa83
68042b05177e86e2615cda2f100976981aa5d2d3e89fb8f9ff6dd3db3f0e4251
a6d84d33bac74a89e5350afa841ae94fe88339a4e29feadbab1d89fe5b45d1bc
b1eff5ccae93924c066daaaa9f2571f456f418c7444296efc9e4280eb59b8fae
e51835060510f38d7a127576ae34ad6780801d15d7ea29fc6e00296c10792b6b
5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8
8c653c65605b7f0ef94fd33d1aeb085a886052238be7b72e75019450cdbbcd3a
42b379a1bfc5b8d772ecf75af27e86cc163052edc6be323c6a8561593b9b24a5
0d6ce61866e30f5be8d2c56df3635296e96680cb71ae68e41ed35c6812849d29
c2dccbab233df2db2afa8be9c811ca05f44befb91cdd82057e3877367f7902dc
b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462
4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
db354d4e80d8450dcc331519e1afa8a0be30f331f02402c8d0807a102ae396a1
b9b4511065cb56bd162e143c22cf2afe32e3ee6617ba5a4852182cb0781f18f1
f4909c420e208e4728116e8b0f4254c9f741d864f9618cddbe3f51b71f602066
58de3a083077a6f0f178bbf94ee2fc90875475e5277b687751e33cfa4e3cd519
634e71695e0c28d19d73858919aa643539e88476d5b354c6adf9a2391f06d774
980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1
c8435d9f73adae8386d473520e8d418070773ef94a5026228aeb64b4679a514f
Domains
geauhouefheuutiiih.co
tldrbox.top
mamtwfxpcbwrgjgmw.su
rdgjlcsrbnenoyegg.su
flotgmlooloxjmgrl.su
nbvpndruncbpcqlij.su
daedagheauehfuuhfr.cc
uhifkruwvwobbcmqt.su
rabiugxnmicrfrtha.su
ukxmygxkejedyodif.su
qfumgblgmyfbhxvwp.su
befaheaiudeuhughgh.co
seuufhehfueugher.ws
ggwdfnrlgpsepqmeb.su
psoeaecpaotcgfrec.su
tvgxnholtrugsnwbj.su
lfibrdebkrcydyxst.su
aefhuoaeudofrla.co
edhuaudhuedugufk.top
gimmefile.top
URLs
http://91.202.233.141/6
http://91.202.233.141/5
http://91.202.233.141/4
http://91.202.233.141/3
http://91.202.233.141/2
http://91.202.233.141/1
http://185.215.113.66/6
http://185.215.113.66/5
http://185.215.113.66/4
http://185.215.113.66/3
http://185.215.113.66/2
http://aefieiaehfiaehr.top/pei.exe
http://aefieiaehfiaehr.top/tpeinf.exe
http://aefieiaehfiaehr.top/npp.exe
http://rddissisifigifidi.net/pei.exe
http://eguaheoghouughahsu.cc/npp.exe
http://aiiaiafrzrueuedur.net/npp.exe
http://eguaheoghouughahsu.cc/tpeinf.exe
http://rddissisifigifidi.net/npp.exe
http://loeghaiofiehfihf.to/pei.exe
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 148
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 158
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1628
comments 0

What is Phorpiex malware?

Phorpiex is a botnet malware written in C++ that was first spotted back in 2016. Originally, it relied on brute forcing for infiltrating devices through the use of default login credentials. Once on the system, the malicious software received instructions from its authors to deliver extra payloads, thus, serving as a loader. Another feature of the threat is its worm-like behavior that allows it to spread via USB drives.

The malware has been used to infect thousands of devices and install various malicious programs, including ransomware and cryptojacking software. It was also employed in sextortion campaigns that involved distributing phishing emails to users from a leaked database, requesting them to pay to the attackers.

In August 2021, it was deactivated by its operators. During this time, Phorpiex’s source code was put up for sale on a dark web forum. This, however, did not spell the end to the malware, as it was back in operation by the end of the year. This time, the malware heavily targeted virtual currency users through crypto clipping. In these attacks, the botnet automatically replaced victims’ crypto wallet addresses with those of the operators, duping them into transferring funds to the criminals.

In 2024, the malware made a serious comeback as part of another large-scale phishing campaign, sending thousands of emails to victims containing the LockBit ransomware.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Phorpiex botnet execution process

To see how the latest version of the malware operates on an infected system, let’s upload its sample to ANY.RUN’s cloud malware sandbox .

Phorpiex analysis in ANY.RUN Phorpiex sample analysis in ANY.RUN sandbox

After Phorpiex malware is delivered and installed on the machine, it adds a registry key to ensure it runs automatically at startup. It also introduces a mutex to prevent multiple instances from running.

Phorpiex analysis in ANY.RUN Phorpiex process graph in ANY.RUN

Since the malware acts as a worm, it instantly starts infecting removable and shared drives by creating copies of itself on these drives to spread. Phorpiex can compromise system security by disabling security features, allowing it to maintain persistence and continue spreading.

The malware also tries to connect to malicious command and control (C2) servers. If the connection is successful, Phorpiex downloads and executes additional malware, such as cryptominers or ransomware like LockBit Black.

As mentioned, Phorpiex can be used to send spam emails, including those with malicious attachments or links. In the absence of active C2 servers, Phorpiex can operate in P2P mode, enabling it to continue spreading and executing malware without relying on centralized control.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Phorpiex malware technical details

Phorpiex is a modular malware, meaning that it has dedicated modules for different types of malicious activities.

The key function of Phorpiex since its launch has been creating a network of bots, compromised systems, which then can be leveraged to conduct malicious activities. Unlike botnets, such as Mirai or Gafgyt, Phorpiex does not use its infrastructure to carry out DDoS attacks. Instead, it has been observed to orchestrate spam email campaigns. In 2018, the malware’s database of over 40 million target email addresses was exposed, revealing the extent of its campaigns. A typical spam email from Phorpiex involves an attachment containing a malicious payload and a message, accompanying it, that asks the user to open the attachment.

The malware is equipped with a loader module that lets it distribute other malicious payloads on the systems it manages to infiltrate. Over the years, it has been utilized to push different malware families, including Nemty and GandCrab

It also has crypto clipping capabilities, supporting dozens of wallet types and cryptocurrencies. The malware changes the crypto addresses copied by the victim to the clipboard and tricks them into sending their virtual funds to the attacker’s wallets.

The latest version of the malware operates in the peer-to-peer mode. This means that devices infected with Phorpiex can not only spread the malware further but also control other machines in the network.

Some of the older variants of the malware also used XMRig to mine the Monero cryptocurrency using the resources of the infected hosts.

The malware possesses anti-vm and anti-debugging capabilities. It ensures persistence by modifying registry entries to run automatically. Some versions of the malware are also capable of disabling common detection systems, such as Windows Defender.

Phorpiex malware distribution methods

According to some estimates, since its release, Phorpiex has been used to infect over a million devices. One of the primary reasons for its extensive reach is its worm module, which allows it to self-propagate across networks and devices. A worm module is a component of malware that enables it to replicate itself and spread to other systems without the need for human interaction.

However, the worm module is not the only method Phorpiex uses for distribution. It has also been known to spread through spam emails. These emails often contain malicious attachments or links to download sites. Additionally, Phorpiex has been observed being dropped by other loader malware.

Conclusion

Phorpiex remains a significant cybersecurity threat to organizations and individuals. To ensure the infection does not occur it is crucial to implement proper security controls. One of the key components of a solid security strategy is the use of a malware analysis sandbox.

ANY.RUN's interactive sandbox offers a number of features that simplify and accelerate the process of malware analysis, as it:

  • Identifies threats in files and URLs in less than 40 seconds.
  • Allows for direct interaction with the samples and the system, similar to a regular computer.
  • Provides customizable Windows and Linux virtual machines to suit your specific needs.
  • Generates detailed reports outlining the nature and extent of the identified threats.
  • Reveals all malicious activities related to the network, registry, and files, as well as the processes involved.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy