SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phorpiex (Back to overview)

Phorpiex

aka: Trik
URLhaus      

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

References
2021-05-20MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210520:phorpiex:1a8fb3c, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment}}, date = {2021-05-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/}, language = {English}, urldate = {2021-05-26} } Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment
Phorpiex
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-02-18LastlineJason Zhang, Stefano Ortolani
@online{zhang:20200218:nemty:8d6340a, author = {Jason Zhang and Stefano Ortolani}, title = {{Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders}}, date = {2020-02-18}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/}, language = {English}, urldate = {2020-02-23} } Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders
Nemty Phorpiex
2020-01-23ZDNetCatalin Cimpanu
@online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus
Phorpiex
2019-11-19Check PointAlexey Bukhteyev
@online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } Phorpiex Breakdown
Phorpiex
2019-11-04SymantecNguyen Hoang Giang, Eduardo Altares, Muhammad Hasib Latif
@online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Nemty Phorpiex
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-03-06CrowdStrikeBrendon Feeley, Bex Hartley, Sergei Frankoff
@online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex PINCHY SPIDER ZOMBIE SPIDER
2018-06-12Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } Trik Spam Botnet Leaks 43 Million Email Addresses
Phorpiex
2018-05-24ProofpointProofpoint Staff
@online{staff:20180524:phorpiex:81572f0, author = {Proofpoint Staff}, title = {{Phorpiex – A decade of spamming from the shadows}}, date = {2018-05-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows}, language = {English}, urldate = {2019-12-20} } Phorpiex – A decade of spamming from the shadows
Phorpiex
2016-02-21Johannes Bader BlogJohannes Bader
@online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } Phorpiex - An IRC worm
Phorpiex
2013-01-21Trend MicroMark Joseph Manahan
@online{manahan:20130121:shylock:981b444, author = {Mark Joseph Manahan}, title = {{Shylock Not the Lone Threat Targeting Skype}}, date = {2013-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/}, language = {English}, urldate = {2020-01-13} } Shylock Not the Lone Threat Targeting Skype
Phorpiex
Yara Rules
[TLP:WHITE] win_phorpiex_auto (20210616 | Detects win.phorpiex.)
rule win_phorpiex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.phorpiex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 ff15???????? ff15???????? 50 e8???????? }
            // n = 5, score = 1100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { ff15???????? 85c0 740f 6a07 }
            // n = 4, score = 1100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   6a07                 | push                7

        $sequence_2 = { ff15???????? 85c0 741f 6880000000 }
            // n = 4, score = 1000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   6880000000           | push                0x80

        $sequence_3 = { 83c410 6a00 6a02 6a02 6a00 }
            // n = 5, score = 900
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2
            //   6a00                 | push                0

        $sequence_4 = { e8???????? 99 b930750000 f7f9 }
            // n = 4, score = 900
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b930750000           | mov                 ecx, 0x7530
            //   f7f9                 | idiv                ecx

        $sequence_5 = { 6a01 6a00 68???????? e8???????? 83c40c 33c0 }
            // n = 6, score = 800
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { e8???????? 99 b90d000000 f7f9 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b90d000000           | mov                 ecx, 0xd
            //   f7f9                 | idiv                ecx

        $sequence_7 = { 50 e8???????? 83c404 e8???????? e8???????? ff15???????? 6a00 }
            // n = 7, score = 800
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_8 = { 6a00 6a00 6a00 6a08 68???????? }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a08                 | push                8
            //   68????????           |                     

        $sequence_9 = { 6a01 ff15???????? ff15???????? b001 }
            // n = 4, score = 700
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   b001                 | mov                 al, 1

        $sequence_10 = { ff15???????? 6a00 ff15???????? 85c0 7418 }
            // n = 5, score = 700
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a

        $sequence_11 = { 52 683f000f00 6a00 68???????? 6802000080 ff15???????? 85c0 }
            // n = 7, score = 700
            //   52                   | push                edx
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   68????????           |                     
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_12 = { ff15???????? 85c0 7522 6a00 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7522                 | jne                 0x24
            //   6a00                 | push                0

        $sequence_13 = { 68???????? ff15???????? 8d85f8fdffff 50 68???????? }
            // n = 5, score = 700
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d85f8fdffff         | lea                 eax, dword ptr [ebp - 0x208]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_14 = { 6a00 6a00 682a800000 6a00 ff15???????? }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   682a800000           | push                0x802a
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_15 = { f7f9 81c210270000 52 e8???????? }
            // n = 4, score = 600
            //   f7f9                 | idiv                ecx
            //   81c210270000         | add                 edx, 0x2710
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_16 = { 7206 837dfc73 7607 32c0 e9???????? }
            // n = 5, score = 600
            //   7206                 | jb                  8
            //   837dfc73             | cmp                 dword ptr [ebp - 4], 0x73
            //   7607                 | jbe                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_17 = { e9???????? eb13 837dfc19 7206 837dfc2d }
            // n = 5, score = 600
            //   e9????????           |                     
            //   eb13                 | jmp                 0x15
            //   837dfc19             | cmp                 dword ptr [ebp - 4], 0x19
            //   7206                 | jb                  8
            //   837dfc2d             | cmp                 dword ptr [ebp - 4], 0x2d

        $sequence_18 = { 50 e8???????? 59 59 85c0 0f85c0000000 }
            // n = 6, score = 500
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f85c0000000         | jne                 0xc6

        $sequence_19 = { 6a21 50 e8???????? c60000 }
            // n = 4, score = 500
            //   6a21                 | push                0x21
            //   50                   | push                eax
            //   e8????????           |                     
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_20 = { 3d00010000 7504 83c8ff c3 8b542404 }
            // n = 5, score = 500
            //   3d00010000           | cmp                 eax, 0x100
            //   7504                 | jne                 6
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_21 = { ff15???????? 3db7000000 7508 6a00 ff15???????? 6804010000 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   3db7000000           | cmp                 eax, 0xb7
            //   7508                 | jne                 0xa
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_22 = { 740e 803e00 7401 46 8813 43 803b00 }
            // n = 7, score = 400
            //   740e                 | je                  0x10
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7401                 | je                  3
            //   46                   | inc                 esi
            //   8813                 | mov                 byte ptr [ebx], dl
            //   43                   | inc                 ebx
            //   803b00               | cmp                 byte ptr [ebx], 0

        $sequence_23 = { 83c40c e8???????? 99 b960ea0000 f7f9 }
            // n = 5, score = 400
            //   83c40c               | add                 esp, 0xc
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b960ea0000           | mov                 ecx, 0xea60
            //   f7f9                 | idiv                ecx

        $sequence_24 = { ff15???????? 8d4c2404 51 68???????? 8d942410010000 6804010000 52 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   8d4c2404             | lea                 ecx, dword ptr [esp + 4]
            //   51                   | push                ecx
            //   68????????           |                     
            //   8d942410010000       | lea                 edx, dword ptr [esp + 0x110]
            //   6804010000           | push                0x104
            //   52                   | push                edx

        $sequence_25 = { 50 e8???????? 83c410 e8???????? 99 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   e8????????           |                     
            //   99                   | cdq                 

        $sequence_26 = { 6a00 6a00 6800000040 8d942424010000 52 ff15???????? }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6800000040           | push                0x40000000
            //   8d942424010000       | lea                 edx, dword ptr [esp + 0x124]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_27 = { 57 68e8030000 ff15???????? e8???????? be???????? }
            // n = 5, score = 300
            //   57                   | push                edi
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   e8????????           |                     
            //   be????????           |                     

        $sequence_28 = { 50 8d45ec 50 6805000020 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   8d45ec               | lea                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax
            //   6805000020           | push                0x20000005

        $sequence_29 = { 663bc2 72f7 53 33c0 56 57 }
            // n = 6, score = 300
            //   663bc2               | cmp                 ax, dx
            //   72f7                 | jb                  0xfffffff9
            //   53                   | push                ebx
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi
            //   57                   | push                edi

    condition:
        7 of them and filesize < 2490368
}
Download all Yara Rules