Win32/Phorpiex

Forum for analysis and discussion about malware.
markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Win32/Phorpiex

Post by markusg » Wed Oct 05, 2011 4:49 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware/Not classified

Post by EP_X0FF » Wed Oct 05, 2011 5:06 pm

markusg wrote:http://www.virustotal.com/file-scan/report.html?id=d4b703bc3259272c11b3001ec56cd1a5f6c8534e60ad27695fe02d0949a56ae0-1317832653
Trojan downloader Phokace with AntiVM.

Payload hxxp://www.allezdax.com/images/m.exe (crypted and packed by MPRESS Worm:Win32/Phorpiex.B)

decrypted downloader, payload + decrypted in attach

Windows Live Messenger spam templates
ICQ Conversations - MiniUserProfileDlg Internet Explorer_Server %s %s DEU AUT LUX LIE CHE wie findest du das foto? hab ich dir das foto schon gezeigt? das foto solltest du wirklich sehen schau mal das foto an unglaublich welche fotos leute von sich machen schau mal so will ich nicht aussehen wenn ich alt bin schau mal welches foto ich gefunden hab bist du das auf dem foto? kennst du das foto schon? FRA je ne pense pas que je vais pouvoir dormir aprиs avoir vu ces photos. je n'arrive pas a croire que j'ai encore cette photo de toi depuis l'hiver dernier. devrais-je mettre cette photo de profile? c'est la photo la plus marrante! dis moi ce que tu pense de cette photo de moi? mes parents vont me tuйs si ils trouvent cette photo. NLD BEL ken je dat foto nog? kijk wat voor een foto ik heb gevonden zo iets leilijk heb ik nog nooit in mijn leven gezien ik hoop dat jij het net bent op dit foto ben jij dat op dit foto? dit foto zal je echt eens bekijken! ken je dit foto al? ITA ti piace la foto? hai visto questa foto? la foto e grandiosa! ti ricordi la Foto? dopo che hai visto la foto, tu non dormirai piu conosci la persona in questa foto? chi e in questa foto? NOR se pе dette bildet DNK ser pе dette billede FIN katso tдtд kuvaa SWE titta pе denna bild tell me what you think of this picture i edited this is the funniest photo ever! tell me what you think of this photo i don't think i will ever sleep again after seeing this photo i cant believe i still have this picture should i make this my default picture?
posts moved
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Worm:Win32/Phorpiex.B

Post by markusg » Fri Oct 21, 2011 10:36 am

Code: Select all

http://www.shufflet.com//images/images.php?image=IMG0485497269.JPG

http://www.shufflet.com//images/ok.exe
IMG04854912.JPG.scr
MD5   : 818f265ef1991e4245083f5d1805f269
https://www.virustotal.com/file-scan/re ... 1319192552
ok.exe
MD5   : f9987d42b5e18ab1d4c8418949f9e837
https://www.virustotal.com/file-scan/re ... 1319192377
You do not have the required permissions to view the files attached to this post.

nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Re: Worm:Win32/Phorpiex.B

Post by nullptr » Fri Oct 21, 2011 11:31 am

IMG04854912.JPG.scr -> TrojanDownloader Win32/Phokace.B - downloads
Worm Win32/Phorpiex.B hxxp://www.shufflet.com/images/ok.exe
Same as http://www.kernelmode.info/forum/viewto ... 1182#p8974

User avatar
Waves97
Posts: 33
Joined: Sat Jun 02, 2012 4:41 pm
Location: Poland

Re: Trojan Zeus (alias ZBot)

Post by Waves97 » Thu Jan 24, 2013 6:08 pm

Next Zbot - I think.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Zeus (alias ZBot)

Post by EP_X0FF » Fri Jan 25, 2013 4:09 am

Waves97 wrote:Next Zbot - I think.
Phorpiex.B which downloads Phorpiex.P (hxxp://www.nuvocuisine.com/images.php?image=IMG0540255.JPG) which downloads Phorpiex.M (hxxp://nuvocuisine.com/nnn.exe)

Missing bots in attach, posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration



User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Phorpiex

Post by EP_X0FF » Mon Mar 11, 2013 6:49 am

Phorpiex delivered in spam. As usual contain SandboxIE and VM trivial detections. USB autorunner.

UPX -> AutoIt Injector -> Bot (C:\Users\s\Desktop\Home\Code\B\Release\Trik.pdb)

https://www.virustotal.com/ru/file/edb1 ... /analysis/
https://www.virustotal.com/ru/file/2345 ... /analysis/

phorpiex.su
x1x4x0.su

Source hxxp://simplywtctickets.com/images.php

Code: Select all

HTTP/1.1 200 OK
Date: Mon, 11 Mar 2013 10:49:16 GMT
Server: Apache
Content-disposition: attachment; filename=IMG0540230-JPG.scr
Connection: close
Transfer-Encoding: chunked
Content-Type: application/octet-stream
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: Win32/Phorpiex

Post by rinn » Mon Mar 11, 2013 12:47 pm

Hi.

from the above VT https://www.virustotal.com/ru/file/2345 ... /analysis/

Code: Select all

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2013:03:10 21:02:35+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 23040
LinkerVersion............: 9.0
EntryPoint...............: 0x6696
InitializedDataSize......: 10752
SubsystemVersion.........: 5.0
ImageVersion.............: 0.0
OSVersion................: 5.0
UninitializedDataSize....: 0
Image

facepalm ;)

Best Regards,
-rin

Post Reply