SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phorpiex (Back to overview)

Phorpiex

aka: Trik, phorphiex
VTCollection     URLhaus      

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

References
2021-12-16Check Point ResearchAlexey Bukhteyev
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions
Phorpiex
2021-11-11vmwareGiovanni Vigna, Jason Zhang, Stefano Ortolani, Threat Analysis Unit
Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer
Phorpiex QakBot
2021-10-12Twitter (@_CPResearch_)Check Point Research
Tweet of re-emergence phorpiex with a new "Twizt" module
Phorpiex
2021-08-27The RecordCatalin Cimpanu
Phorpiex botnet shuts down, source code goes up for sale
Phorpiex
2021-05-20MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment
Phorpiex
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-02-18LastlineJason Zhang, Stefano Ortolani
Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders
Nemty Phorpiex
2020-01-27CheckpointCheckpoint Research
Phorpiex Arsenal: Part I
Phorpiex
2020-01-23ZDNetCatalin Cimpanu
Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus
Phorpiex
2019-11-19Check PointAlexey Bukhteyev
Phorpiex Breakdown
Phorpiex
2019-11-04SymantecEduardo Altares, Muhammad Hasib Latif, Nguyen Hoang Giang
Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Nemty Phorpiex
2019-09-09McAfeeChintan Shah, Marc Rivero López, Thomas Roccia
Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-03-06CrowdStrikeBex Hartley, Brendon Feeley, Sergei Frankoff
PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex PINCHY SPIDER ZOMBIE SPIDER
2018-06-12Bleeping ComputerCatalin Cimpanu
Trik Spam Botnet Leaks 43 Million Email Addresses
Phorpiex
2018-05-24ProofpointProofpoint Staff
Phorpiex – A decade of spamming from the shadows
Phorpiex
2016-02-21Johannes Bader BlogJohannes Bader
Phorpiex - An IRC worm
Phorpiex
2013-01-21Trend MicroMark Joseph Manahan
Shylock Not the Lone Threat Targeting Skype
Phorpiex
Yara Rules
[TLP:WHITE] win_phorpiex_auto (20230808 | Detects win.phorpiex.)
rule win_phorpiex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.phorpiex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 ff15???????? ff15???????? 50 e8???????? }
            // n = 5, score = 1100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { ff15???????? 85c0 740f 6a07 }
            // n = 4, score = 1100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   6a07                 | push                7

        $sequence_2 = { ff15???????? 85c0 741f 6880000000 }
            // n = 4, score = 1000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   6880000000           | push                0x80

        $sequence_3 = { 6a20 6a00 6a00 6a00 8b5508 52 6a00 }
            // n = 7, score = 900
            //   6a20                 | push                0x20
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   6a00                 | push                0

        $sequence_4 = { e8???????? 83c410 6a00 6a02 6a02 6a00 6a00 }
            // n = 7, score = 900
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_5 = { 6a01 6a00 68???????? e8???????? 83c40c 33c0 }
            // n = 6, score = 800
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { e8???????? 99 b90d000000 f7f9 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b90d000000           | mov                 ecx, 0xd
            //   f7f9                 | idiv                ecx

        $sequence_7 = { 52 ff15???????? 6a00 6a00 6a00 6a00 68???????? }
            // n = 7, score = 800
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_8 = { 50 e8???????? 83c404 e8???????? e8???????? ff15???????? }
            // n = 6, score = 800
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e8????????           |                     
            //   e8????????           |                     
            //   ff15????????         |                     

        $sequence_9 = { 68???????? ff15???????? 8d85f8fdffff 50 68???????? }
            // n = 5, score = 700
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_10 = { 6a00 ff15???????? 85c0 7418 ff15???????? }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a
            //   ff15????????         |                     

        $sequence_11 = { 6a01 ff15???????? ff15???????? b001 }
            // n = 4, score = 700
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   b001                 | mov                 al, 1

        $sequence_12 = { 6a00 682a800000 6a00 ff15???????? }
            // n = 4, score = 700
            //   6a00                 | push                0
            //   682a800000           | push                0x802a
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_13 = { 52 683f000f00 6a00 68???????? 6802000080 ff15???????? 85c0 }
            // n = 7, score = 700
            //   52                   | push                edx
            //   683f000f00           | push                0xf003f
            //   6a00                 | push                0
            //   68????????           |                     
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_14 = { 68???????? ff15???????? e9???????? 8d45fc }
            // n = 4, score = 600
            //   68????????           |                     
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_15 = { 50 ff15???????? 8945fc 837dfc00 7416 8b4df8 }
            // n = 6, score = 600
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7416                 | je                  0x18
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_16 = { f7f9 81c210270000 52 e8???????? }
            // n = 4, score = 600
            //   f7f9                 | idiv                ecx
            //   81c210270000         | add                 edx, 0x2710
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_17 = { e8???????? 99 b930750000 f7f9 81c210270000 }
            // n = 5, score = 600
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b930750000           | mov                 ecx, 0x7530
            //   f7f9                 | idiv                ecx
            //   81c210270000         | add                 edx, 0x2710

        $sequence_18 = { 50 e8???????? 59 59 85c0 7573 }
            // n = 6, score = 500
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7573                 | jne                 0x75

        $sequence_19 = { 3d00010000 7504 83c8ff c3 8b542404 }
            // n = 5, score = 500
            //   3d00010000           | cmp                 eax, 0x100
            //   7504                 | jne                 6
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_20 = { 7508 6a00 ff15???????? 6804010000 }
            // n = 4, score = 500
            //   7508                 | jne                 0xa
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_21 = { 6a21 50 e8???????? c60000 }
            // n = 4, score = 500
            //   6a21                 | push                0x21
            //   50                   | push                eax
            //   e8????????           |                     
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_22 = { e8???????? 83c41c 6880000000 8d4c240c 51 ff15???????? 6a00 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   6880000000           | push                0x80
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_23 = { 52 e8???????? 99 b960ea0000 f7f9 }
            // n = 5, score = 400
            //   52                   | push                edx
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b960ea0000           | mov                 ecx, 0xea60
            //   f7f9                 | idiv                ecx

        $sequence_24 = { 6880000000 8d8424b4000000 50 6a0c 8d4c2420 51 6800142d00 }
            // n = 7, score = 400
            //   6880000000           | push                0x80
            //   8d8424b4000000       | lea                 eax, [esp + 0xb4]
            //   50                   | push                eax
            //   6a0c                 | push                0xc
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   51                   | push                ecx
            //   6800142d00           | push                0x2d1400

        $sequence_25 = { 83790c00 7419 83791800 7418 83c130 83c004 81f9???????? }
            // n = 7, score = 400
            //   83790c00             | cmp                 dword ptr [ecx + 0xc], 0
            //   7419                 | je                  0x1b
            //   83791800             | cmp                 dword ptr [ecx + 0x18], 0
            //   7418                 | je                  0x1a
            //   83c130               | add                 ecx, 0x30
            //   83c004               | add                 eax, 4
            //   81f9????????         |                     

        $sequence_26 = { 72f7 53 33c0 56 57 663bc2 }
            // n = 6, score = 300
            //   72f7                 | jb                  0xfffffff9
            //   53                   | push                ebx
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   663bc2               | cmp                 ax, dx

        $sequence_27 = { 56 57 68e8030000 ff15???????? e8???????? be???????? }
            // n = 6, score = 300
            //   56                   | push                esi
            //   57                   | push                edi
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   e8????????           |                     
            //   be????????           |                     

        $sequence_28 = { 50 8d45ec 50 6805000020 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   6805000020           | push                0x20000005

        $sequence_29 = { 8d45f8 50 8d45e4 50 6805000020 }
            // n = 5, score = 200
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   6805000020           | push                0x20000005

    condition:
        7 of them and filesize < 2490368
}
Download all Yara Rules