SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phorpiex (Back to overview)

Phorpiex

aka: Trik
URLhaus      

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

References
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-02-18LastlineJason Zhang, Stefano Ortolani
@online{zhang:20200218:nemty:8d6340a, author = {Jason Zhang and Stefano Ortolani}, title = {{Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders}}, date = {2020-02-18}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/}, language = {English}, urldate = {2020-02-23} } Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders
Nemty Phorpiex
2020-01-23ZDNetCatalin Cimpanu
@online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus
Phorpiex
2019-11-19Check PointAlexey Bukhteyev
@online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } Phorpiex Breakdown
Phorpiex
2019-11-04SymantecNguyen Hoang Giang, Eduardo Altares, Muhammad Hasib Latif
@online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Nemty Phorpiex
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-03-06CrowdStrikeBrendon Feeley, Bex Hartley, Sergei Frankoff
@online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex Pinchy Spider Zombie Spider
2018-06-12Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } Trik Spam Botnet Leaks 43 Million Email Addresses
Phorpiex
2018-05-24ProofpointProofpoint Staff
@online{staff:20180524:phorpiex:81572f0, author = {Proofpoint Staff}, title = {{Phorpiex – A decade of spamming from the shadows}}, date = {2018-05-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows}, language = {English}, urldate = {2019-12-20} } Phorpiex – A decade of spamming from the shadows
Phorpiex
2016-02-21Johannes Bader BlogJohannes Bader
@online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } Phorpiex - An IRC worm
Phorpiex
2013-01-21Trend MicroMark Joseph Manahan
@online{manahan:20130121:shylock:981b444, author = {Mark Joseph Manahan}, title = {{Shylock Not the Lone Threat Targeting Skype}}, date = {2013-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/}, language = {English}, urldate = {2020-01-13} } Shylock Not the Lone Threat Targeting Skype
Phorpiex
Yara Rules
[TLP:WHITE] win_phorpiex_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_phorpiex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 ff15???????? ff15???????? 50 e8???????? 83c404 }
            // n = 6, score = 1000
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { e8???????? 99 b930750000 f7f9 }
            // n = 4, score = 900
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b930750000           | mov                 ecx, 0x7530
            //   f7f9                 | idiv                ecx

        $sequence_2 = { 6a00 6a20 6a00 6a00 6a00 8b5508 }
            // n = 6, score = 900
            //   6a00                 | push                0
            //   6a20                 | push                0x20
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_3 = { ff15???????? 85c0 740f 6a07 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   6a07                 | push                7

        $sequence_4 = { 6a01 6a00 68???????? e8???????? 83c40c 33c0 }
            // n = 6, score = 800
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax

        $sequence_5 = { 83c410 6a00 6a02 6a02 6a00 }
            // n = 5, score = 800
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2
            //   6a00                 | push                0

        $sequence_6 = { e8???????? 99 b90d000000 f7f9 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b90d000000           | mov                 ecx, 0xd
            //   f7f9                 | idiv                ecx

        $sequence_7 = { 83c404 e8???????? e8???????? ff15???????? 6a00 }
            // n = 5, score = 800
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_8 = { ff15???????? 6a00 ff15???????? 85c0 7418 ff15???????? }
            // n = 6, score = 700
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a
            //   ff15????????         |                     

        $sequence_9 = { 52 683f000f00 6a00 68???????? 6802000080 ff15???????? 85c0 }
            // n = 7, score = 700
            //   52                   | push                edx
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   68????????           |                     
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_10 = { ff15???????? 85c0 741f 6880000000 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   6880000000           | push                0x80

        $sequence_11 = { 8bec 83ec08 6a00 ff15???????? 85c0 7440 6a01 }
            // n = 7, score = 600
            //   8bec                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   6a01                 | push                1

        $sequence_12 = { 7429 8b45f8 50 ff15???????? 8945fc 837dfc00 7416 }
            // n = 7, score = 600
            //   7429                 | je                  0x2b
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7416                 | je                  0x18

        $sequence_13 = { 7508 6a00 ff15???????? 6804010000 }
            // n = 4, score = 500
            //   7508                 | jne                 0xa
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_14 = { 3d00010000 7504 83c8ff c3 8b542404 }
            // n = 5, score = 500
            //   3d00010000           | cmp                 eax, 0x100
            //   7504                 | jne                 6
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_15 = { 6a21 50 e8???????? c60000 }
            // n = 4, score = 500
            //   6a21                 | push                0x21
            //   50                   | push                eax
            //   e8????????           |                     
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_16 = { 83c40c 8b04b3 8d5001 8d4900 8a08 }
            // n = 5, score = 400
            //   83c40c               | add                 esp, 0xc
            //   8b04b3               | mov                 eax, dword ptr [ebx + esi*4]
            //   8d5001               | lea                 edx, [eax + 1]
            //   8d4900               | lea                 ecx, [ecx]
            //   8a08                 | mov                 cl, byte ptr [eax]

        $sequence_17 = { 8d4900 8a08 40 84c9 75f9 8b0cb3 2bc2 }
            // n = 7, score = 400
            //   8d4900               | lea                 ecx, [ecx]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb
            //   8b0cb3               | mov                 ecx, dword ptr [ebx + esi*4]
            //   2bc2                 | sub                 eax, edx

        $sequence_18 = { 68???????? ff15???????? 8d85f8fdffff 50 68???????? }
            // n = 5, score = 400
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_19 = { 56 6804010000 8d442408 50 68???????? ff15???????? }
            // n = 6, score = 400
            //   56                   | push                esi
            //   6804010000           | push                0x104
            //   8d442408             | lea                 eax, [esp + 8]
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_20 = { 50 e8???????? 83c410 e8???????? 99 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   e8????????           |                     
            //   99                   | cdq                 

        $sequence_21 = { 74e4 3c49 74e0 3c6c 74dc 0fbec0 50 }
            // n = 7, score = 200
            //   74e4                 | je                  0xffffffe6
            //   3c49                 | cmp                 al, 0x49
            //   74e0                 | je                  0xffffffe2
            //   3c6c                 | cmp                 al, 0x6c
            //   74dc                 | je                  0xffffffde
            //   0fbec0               | movsx               eax, al
            //   50                   | push                eax

        $sequence_22 = { 83fb19 7205 83fb2d 760f 32c0 }
            // n = 5, score = 200
            //   83fb19               | cmp                 ebx, 0x19
            //   7205                 | jb                  7
            //   83fb2d               | cmp                 ebx, 0x2d
            //   760f                 | jbe                 0x11
            //   32c0                 | xor                 al, al

        $sequence_23 = { 6a02 57 57 6800000040 8d85f0fbffff 50 ff15???????? }
            // n = 7, score = 200
            //   6a02                 | push                2
            //   57                   | push                edi
            //   57                   | push                edi
            //   6800000040           | push                0x40000000
            //   8d85f0fbffff         | lea                 eax, [ebp - 0x410]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_24 = { 83f819 77f1 33ff 85db 7631 8a0437 }
            // n = 6, score = 200
            //   83f819               | cmp                 eax, 0x19
            //   77f1                 | ja                  0xfffffff3
            //   33ff                 | xor                 edi, edi
            //   85db                 | test                ebx, ebx
            //   7631                 | jbe                 0x33
            //   8a0437               | mov                 al, byte ptr [edi + esi]

        $sequence_25 = { 3c72 7408 3c74 7404 3c7a }
            // n = 5, score = 200
            //   3c72                 | cmp                 al, 0x72
            //   7408                 | je                  0xa
            //   3c74                 | cmp                 al, 0x74
            //   7404                 | je                  6
            //   3c7a                 | cmp                 al, 0x7a

    condition:
        7 of them and filesize < 2490368
}
Download all Yara Rules