Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Phorpiex

49
Global rank
54 infographic chevron month
Month rank
48 infographic chevron week
Week rank
0
IOCs

Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.

Botnet
Type
Unknown
Origin
1 August, 2016
First seen
30 December, 2024
Last seen
Also known as
Trik

How to analyze Phorpiex with ANY.RUN

Type
Unknown
Origin
1 August, 2016
First seen
30 December, 2024
Last seen

IOCs

IP addresses
173.231.184.124
173.231.184.122
199.21.76.81
63.251.126.10
72.5.161.12
72.26.218.86
66.79.104.155
37.254.198.8
185.68.20.67
5.77.178.216
46.100.181.186
217.12.85.22
37.144.204.226
42.248.183.116
5.239.159.10
213.230.69.229
154.65.129.46
200.93.73.250
151.239.29.44
78.39.229.161
Domains
conformfucdioz.shop
catchddkxozvp.shop
arriveoxpzxo.shop
replacedoxcjzp.shop
declaredczxi.shop
contemplateodszsv.shop
bindceasdiwozx.shop
applyzxcksdia.shop
ouauooaoaoeeutr.io
aaaeieiiiofffla.co
infineinfinigla.co
eobbeaubfeuuela.co
fgeauhfouehurla.co
aauaaaeieiieezt.io
oeoaoueuoeuoala.co
plporsiszsgetla.co
aaaeieiiioffftr.cc
eiiiaoihoaerula.co
infineinfinigtr.cc
aaauuwiifoogetr.cc
URLs
http://twizt.net/m.exe
http://deauduafzgezzfgm.top/t1.exe
http://185.215.113.66/xmr.exe
http://185.215.113.66/rvn.exe
http://185.215.113.66/mindel.exe
http://185.215.113.66/rvndel.exe
http://185.215.113.66/peinf.exe
http://91.202.233.141/5
http://91.202.233.141/4
http://91.202.233.141/3
http://91.202.233.141/2
http://91.202.233.141/1
http://185.215.113.66/5
http://185.215.113.66/4
http://185.215.113.66/3
http://185.215.113.66/2
http://185.215.113.66/tcoin.exe
http://twizt.net/peinstall.php
http://twizt.net/newtpp.exe
http://185.215.113.66/1
Last Seen at
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q4, 2024 
watchers 232
comments 0
post image
Integrate ANY.RUN Threat Intelligence Feeds w...
watchers 2097
comments 0
post image
2024 Wrapped: A Year of Growth, Innovation, a...
watchers 156
comments 0

What is Phorpiex malware?

Phorpiex is a botnet malware written in C++ that was first spotted back in 2016. Originally, it relied on brute forcing for infiltrating devices through the use of default login credentials. Once on the system, the malicious software received instructions from its authors to deliver extra payloads, thus, serving as a loader. Another feature of the threat is its worm-like behavior that allows it to spread via USB drives.

The malware has been used to infect thousands of devices and install various malicious programs, including ransomware and cryptojacking software. It was also employed in sextortion campaigns that involved distributing phishing emails to users from a leaked database, requesting them to pay to the attackers.

In August 2021, it was deactivated by its operators. During this time, Phorpiex’s source code was put up for sale on a dark web forum. This, however, did not spell the end to the malware, as it was back in operation by the end of the year. This time, the malware heavily targeted virtual currency users through crypto clipping. In these attacks, the botnet automatically replaced victims’ crypto wallet addresses with those of the operators, duping them into transferring funds to the criminals.

In 2024, the malware made a serious comeback as part of another large-scale phishing campaign, sending thousands of emails to victims containing the LockBit ransomware.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Phorpiex botnet execution process

To see how the latest version of the malware operates on an infected system, let’s upload its sample to ANY.RUN’s cloud malware sandbox .

Phorpiex analysis in ANY.RUN Phorpiex sample analysis in ANY.RUN sandbox

After Phorpiex malware is delivered and installed on the machine, it adds a registry key to ensure it runs automatically at startup. It also introduces a mutex to prevent multiple instances from running.

Phorpiex analysis in ANY.RUN Phorpiex process graph in ANY.RUN

Since the malware acts as a worm, it instantly starts infecting removable and shared drives by creating copies of itself on these drives to spread. Phorpiex can compromise system security by disabling security features, allowing it to maintain persistence and continue spreading.

The malware also tries to connect to malicious command and control (C2) servers. If the connection is successful, Phorpiex downloads and executes additional malware, such as cryptominers or ransomware like LockBit Black.

As mentioned, Phorpiex can be used to send spam emails, including those with malicious attachments or links. In the absence of active C2 servers, Phorpiex can operate in P2P mode, enabling it to continue spreading and executing malware without relying on centralized control.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Phorpiex malware technical details

Phorpiex is a modular malware, meaning that it has dedicated modules for different types of malicious activities.

The key function of Phorpiex since its launch has been creating a network of bots, compromised systems, which then can be leveraged to conduct malicious activities. Unlike botnets, such as Mirai or Gafgyt, Phorpiex does not use its infrastructure to carry out DDoS attacks. Instead, it has been observed to orchestrate spam email campaigns. In 2018, the malware’s database of over 40 million target email addresses was exposed, revealing the extent of its campaigns. A typical spam email from Phorpiex involves an attachment containing a malicious payload and a message, accompanying it, that asks the user to open the attachment.

The malware is equipped with a loader module that lets it distribute other malicious payloads on the systems it manages to infiltrate. Over the years, it has been utilized to push different malware families, including Nemty and GandCrab

It also has crypto clipping capabilities, supporting dozens of wallet types and cryptocurrencies. The malware changes the crypto addresses copied by the victim to the clipboard and tricks them into sending their virtual funds to the attacker’s wallets.

The latest version of the malware operates in the peer-to-peer mode. This means that devices infected with Phorpiex can not only spread the malware further but also control other machines in the network.

Some of the older variants of the malware also used XMRig to mine the Monero cryptocurrency using the resources of the infected hosts.

The malware possesses anti-vm and anti-debugging capabilities. It ensures persistence by modifying registry entries to run automatically. Some versions of the malware are also capable of disabling common detection systems, such as Windows Defender.

Phorpiex malware distribution methods

According to some estimates, since its release, Phorpiex has been used to infect over a million devices. One of the primary reasons for its extensive reach is its worm module, which allows it to self-propagate across networks and devices. A worm module is a component of malware that enables it to replicate itself and spread to other systems without the need for human interaction.

However, the worm module is not the only method Phorpiex uses for distribution. It has also been known to spread through spam emails. These emails often contain malicious attachments or links to download sites. Additionally, Phorpiex has been observed being dropped by other loader malware.

Conclusion

Phorpiex remains a significant cybersecurity threat to organizations and individuals. To ensure the infection does not occur it is crucial to implement proper security controls. One of the key components of a solid security strategy is the use of a malware analysis sandbox.

ANY.RUN's interactive sandbox offers a number of features that simplify and accelerate the process of malware analysis, as it:

  • Identifies threats in files and URLs in less than 40 seconds.
  • Allows for direct interaction with the samples and the system, similar to a regular computer.
  • Provides customizable Windows and Linux virtual machines to suit your specific needs.
  • Generates detailed reports outlining the nature and extent of the identified threats.
  • Reveals all malicious activities related to the network, registry, and files, as well as the processes involved.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More