{
	"id": "e46e0c0c-b3f2-4c3b-afe1-6f868aa0a306",
	"created_at": "2026-04-06T00:21:22.783853Z",
	"updated_at": "2026-04-10T03:20:00.629789Z",
	"deleted_at": null,
	"sha1_hash": "18f823564d4bf3fd0f289835f78e19a9970eb5ef",
	"title": "Phorpiex Breakdown - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83084,
	"plain_text": "Phorpiex Breakdown - Check Point Research\r\nBy bferrite\r\nPublished: 2019-11-19 · Archived: 2026-04-05 12:42:29 UTC\r\nResearch by: Alexey Bukhteyev\r\nIntroduction\r\nWe recently wrote about the massive “sextortion” spam campaign carried out by the Phorpiex botnet. However,\r\nthis is only a small part of this botnet’s malicious activity. Capable of acting like both a computer worm and a file\r\nvirus, Phorpiex is spread through exploit kits and with the help of other malware and has infected more than\r\n1,000,000 Windows computers to date. By our assessment, the annual criminal revenue generated by Phorpiex\r\nbotnet is approximately half a million US dollars.\r\nOf course, to maintain such a large botnet, a reliable command and control (C\u0026C) infrastructure is required. For\r\nmalware with a small outreach, or if infected computers are not part of a single botnet, virtual private servers\r\n(VPS) are most often used. VPS hosting services can be purchased from legitimate companies. Many VPS hosting\r\nproviders don’t require identity verification, and the services can be paid for anonymously.\r\nHowever, in the case of the Phorpiex botnet, a public VPS is not suitable. First of all, the C\u0026C server for such a\r\nbotnet would immediately attract attention with a large amount of malicious traffic: several million requests per\r\nday from more than 100,000 unique IP addresses are sent to the Phorpiex C\u0026C servers. By our assessment, the\r\nmonthly volume of the botnet’s C\u0026C traffic may exceed 70 TB. Therefore, Phorpiex doesn’t use public VPS\r\nhosting services. Instead, it uses dedicated IP subnets registered to figureheads.\r\nBotnet Architecture\r\nInitially, the Phorpiex has been known as a botnet operated using IRC protocol (also known as Trik). However,\r\nrecent Phorpiex campaigns have switched to modular architecture and got rid of IRC communication. We barely\r\nsaw any of its IRC C\u0026C servers online in 2019. However, our sinkholes still indicate many thousands of hosts\r\ninfected with Trik. When we did spot IRC C\u0026C servers online, we managed to capture a command for loading\r\nanother malware to the infected machines:\r\nFigure 1 – Trik C\u0026C communication dump with the decrypted URL.\r\nWe assume that this malware, self-named Tldr (probably stands for “TrikLoader”), has currently become the core\r\npart of the Phorpiex botnet. Tldr is a downloader that uses HTTP protocol for communication with C\u0026C servers.\r\nIts main purpose is to load another malware on the infected machines. Some Tldr samples have the functionality\r\nof a computer worm and can spread through removable drives. We also observed variants of the malware that act\r\nlike a file virus infecting other software.\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 1 of 10\n\nIf necessary, malware actors can extend the functionality of the botnet by loading additional modules. The image\r\nbelow shows the infection flow and modular architecture of the current botnet.\r\nFigure 2 – Phorpiex infection flow and architecture.\r\nThe purpose of Tldr, and modules such as the VNC Worm and the NetBIOS Worm, is to distribute the botnet as\r\nmuch as possible. The final goal of the Phorpiex operators is to gain profit, generally in crypto-currency.\r\nThe main ways the botnet is monetized:\r\n– Sextortion spam.\r\n– Crypto-jacking.\r\n– Crypto-currency clipping.\r\n– Providing services for loading other malware (Raccoon stealer, Predator The Thief), distributing ransomware.\r\nCurrently, the Phorpiex botnet doesn’t load ransomware. After the termination of the GandCrab ransomware, the\r\nPhorpiex botnet completely switched to sending sextortion spam emails from the infected computers and loading\r\ndata stealers there.\r\nWe should emphasize that almost all samples of Trik and Tldr include crypto-clipper functionality. Addresses of\r\nall crypto wallets consist of a long combination of digits and letters. The only way to transfer crypto-currency\r\nwithout additional devices is to copy the address to the clipboard and then insert it in a corresponding field in a\r\nwallet application. The malware alters crypto wallet addresses in a clipboard, and the money is transferred to the\r\nwallet that belongs to the malware operators. Crypto-clipper functionality allows malware operators to gain profits\r\nwithout any additional effort, even when C\u0026C servers are offline. Bitcoin wallets used in both Trik and Tldr\r\nconfigurations continue to receive stolen Bitcoins and have collected more than 17 BTC so far.\r\nBotnet capacity assessment\r\nPhorpiex bots continuously scan domain names and IP addresses extracted from the configuration. Even if a valid\r\nC\u0026C server responds, the malware continues to query other hosts. Therefore, after registering domains from\r\ndifferent Tldr configurations, we started to receive a large number of connections from Phorpiex bots. This\r\nallowed us to assess the prevalence of the botnet.\r\nDuring the past two months, we registered connections from more than 1,000,000 unique hosts. At any given time,\r\nan average of 15,000 bots is online, and up to 100,000 bots are active daily.\r\nFigure 3 – Number of bots online hourly.\r\nThe botnet hosts are primarily located in Asia. The most significant parts of the botnet are located in India, China,\r\nThailand, and Pakistan. There are also bots present in the US, Mexico, and many African countries. Europe is\r\nalmost unaffected by the botnet.\r\nFigure 4 – Phorpiex botnet global locations.\r\nC\u0026C Infrastructure\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 2 of 10\n\nAll Phorpiex modules use a hard-coded list of IP addresses and domain names for C\u0026C communication. While\r\nmost malware implements DGA, using hard-coded domain names doesn’t impair the survival of the Phorpiex\r\nbots. We suppose the list of domain names is used as a precaution, to be able to regain control of the bots in case\r\nof the loss of C\u0026C servers accessed by the IP address. The list of domain names is updated periodically. While\r\nmonitoring the Phorpiex campaign during 2019, we discovered more than 4,000 different samples of Tldr, with\r\napproximately 300 configurations and 3297 domain names and IP addresses.\r\nTldr uses the same C\u0026C servers that were used by the Trik IRC bot:\r\nFigure 5 – Phorpiex C\u0026C infrastructure.\r\nCurrently, the most active IP used by the botnet for its C\u0026C servers is 185.176.27.132 and addresses from the\r\nsubnet 92.63.197.0/24.\r\nWe found that the subnet 92.63.197.0/24, which hosts a lot of Phorpiex C\u0026C servers, was also observed in other\r\nthreats like Smoke Loader and Necurs, and used for sending phishing and spam emails, and for port scanning.\r\nOne more interesting fact regarding this subnet is that it is registered to an individual entrepreneur in the Ukraine:\r\norg-name: FOP HORBAN VITALII Anatoliyovich\r\norg-type: OTHER\r\naddress: 62408, KHARKIV REGION, ELITE village, SCHOOL str. 25, AP. 26\r\ne-mail: vetalgorban@protonmail.com\r\nWe found the registration data for an individual entrepreneur called “FOP HORBAN VITALII Anatoliyovich.”\r\nHis main activity is in food retail:\r\nFigure 6 – Screenshot from the Directory of Companies of the Ukraine.\r\nTherefore, we think “FOP HORBAN VITALII Anatoliyovich” is just a figurehead.\r\nAlmost the same situation appears if we search for data about another IP address used by the Phorpiex C\u0026C server\r\n– 185.176.27.132:\r\norg-name: IP Dunaev Yuriy Vyacheslavovich\r\norg-type: OTHER\r\naddress: 420132, Kazan, Chuikova str, 69\r\ne-mail: dunaevyur@gmail.com\r\nDunaev Yuriy Vyacheslavovich is also an individual entrepreneur from Russia (Republic Tatarstan) whose main\r\nactivity is transport services. As in the previous case, the activity of the entrepreneur is not related to the Internet\r\nor IT in any way.\r\nPackets to this network are routed through Telehouse ISP, which is physically located in Bulgaria:\r\n9 50 ms 49 ms 49 ms as50360.peer.telehouse.bg [178.132.83.102]\r\n10 46 ms 46 ms 46 ms 192.168.244.2\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 3 of 10\n\n11 51 ms 50 ms 50 ms 185.176.27.9\r\n12 50 ms 46 ms 50 ms 185.176.27.132\r\nPerhaps, what we are witnessing is cooperation between Phorpiex and another cybercrime group that obtains IP\r\nsubnets from RIPE and provides services for hosting malicious C\u0026C infrastructure.\r\nCrypto-jacking campaign\r\nCryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. One of the final\r\npayloads loaded to Phorpiex-controlled computers is XMRig mining software. The reward for crypto-currency\r\nmining using XMRig is paid in Monero (XMR). The Phorpiex XMRRig miner comes with the configuration\r\nembedded in the sample. It uses Phorpiex C\u0026C servers as mining pools:\r\nXMRig downloaded from Pool address\r\nhxxp://93.32.161[.]73/2\r\nhxxp://185.176.27[.]132/2\r\n193.32.161.73:7777\r\nhxxp://185.176.27[.]132/2 185.176.27.132:4545\r\nhxxp://193.32.161[.]77/2.exe 193.32.161.77:9595\r\nhxxp://92.63.197[.]38/3.exe\r\nhxxp://92.63.197[.]60/2.exe\r\nhxxp://92.63.197[.]153/2.exe\r\nhxxp://94.156.133[.]65/55.exe\r\n92.63.197.153:7575\r\nhxxp://193.32.161[.]69/2.exe\r\nhxxp://193.32.161[.]77/2.exe\r\n193.32.161.69:5555\r\nTable 1 – Phorpiex C\u0026C servers and XMRig mining pools.\r\nIn addition, we found XMR addresses for Phorpiex XMRig samples and found that they are the same as those\r\nused in the “sextortion” campaign. The wallets are stored in integrated format. This means that the address also\r\ncontains the Payment ID. The Payment ID is usually used to identify transactions to merchants and exchanges.\r\nGiven the intrinsic privacy features built into Monero, where a single public address is usually used for incoming\r\ntransactions, the Payment ID is especially useful to tie incoming payments with user accounts. The XMR\r\naddresses extracted from the Phorpiex XMRig samples and used in sextortion campaigns differ only by the\r\nPayment ID:\r\nWallet from the XMRig sample (MD5):\r\n36e824615d72d11a3f962ec025bfceba\r\n4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MR\r\nU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMk\r\nLGaPbF5vWtANQujt72bSgzs7j6uNDV\r\nWallet from the XMRig sample (MD5):\r\n7f8880c0bc2dd024a3cf5261b6582313\r\n4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MR\r\nU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMk\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 4 of 10\n\nLGaPbF5vWtANQsTC167gPTeRcVSaut\r\nWallet from the sextortion spam module (MD5):\r\n2c50efc0fef1601ce1b96b1b7cf991fb\r\n4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MR\r\nU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMk\r\nLGaPbF5vWtANQubDtNq5uuC622w4we\r\nTable 2 – Phorpiex Monero wallets noticed in XMRig samples and sextortion campaign.\r\nThese facts leave no doubt that the Phorpiex botnet owners receive all the profit from mining.\r\nUnfortunately for us, due to its privacy features, the Monero blockchain doesn’t allow us to track transactions and\r\nview an individual’s balance. However, we can estimate the profitability of the crypto-jacking campaign using the\r\nresults of the botnet capacity assessment, the Monero mining profitability calculator, and other Monero\r\nbenchmarks. Assuming that the average Phorpiex victim doesn’t have top-level hardware, the basis of our\r\ncalculation was a low hash rate of 100 H/s which corresponds to INTEL I5-6500T CPU. At any given time, an\r\naverage of 15,000 bots is online. Therefore, the total Monero mining hash rate provided by Phorpiex botnet is 1.5\r\nMH/s. Of course, Phorpiex actors don’t pay for the electricity and pool fee as regular miners do, so we assume\r\nthose values are equal to 0:\r\nFigure 7 – Monero mining profitability calculation.\r\nTherefore, by our assessment, the Phorpiex botnet must generate at least 3,122 XMR per year which currently is\r\nequivalent to about 21 Bitcoins (BTC) or $ 180,000.\r\nCrypto-clipping campaign\r\nWe first saw transactions to the wallets observed in the Trik configuration in August 2016. This may be the time\r\nwhen crypto-clipping functionality was first added to Trik. Malware creators started their operations stealing\r\nBitcoin only. In Tldr, they added support for a large number of virtual assets including Ethereum, Litecoin and\r\neven Perfectmoney.\r\nUnlike Monero, the Bitcoin and Ethereum blockchains allow us to monitor all transactions. Therefore, we are able\r\nto assess how effective a particular crypto-clipping campaign is. We collected a large number of Trik and Tldr\r\nsamples and the Bitcoin wallets extracted from them.\r\nBitcoin wallets extracted from Trik configurations received a total of more than 11 BTC in 376 transactions:\r\nBTC Wallet Amount\r\nFirst Transaction\r\nDate\r\nLast Transaction\r\nDate\r\n1JWWZFUVAWvFNS2D5qwQQo4oSsseoD9kAn 0,04953613 14.08.2016 24.08.2016\r\n1HewcqbrkXY5iqrDqjb4j4AHiaDeobpE6P 0,00030088 21.06.2017 21.06.2017\r\n1KXZqR1fjAxcv1gvdmPfN2WsWsDwM7r2R2 0,0165661 18.06.2017 09.10.2018\r\n1of6uEzx5qfStF1HrVXaZ1eE3X4ntnbsx 5,33347017 10.08.2017 02.09.2019\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 5 of 10\n\n1LaVtKqJatoeAHkHEgp9UF2fJEarEdZPr9 0,37694525 13.09.2016 17.11.2016\r\n1Kzhh4nqyjB3MAoQ5uH2Bcdz3qXWpnsMzd 3,39173817 19.12.2016 10.04.2017\r\n1CpQYTKfiYj8ZoXUmz1DaohjJVsDzGpgbx 0,81380018 01.02.2017 11.09.2019\r\n18qKrmaUXaEgbYEn6yMkGKNcqkYB3mSxNv 1,60713638 22.11.2016 04.08.2018\r\nTotal 11,58949326\r\nTable 3 – Phorpiex Trik crypto-clipper BTC wallets.\r\nAs we can see from the table, despite the fact that Trik bots don’t receive updates and the C\u0026C servers are offline,\r\nsome wallets still continue to gain Bitcoins.\r\nThe table below contains Bitcoin wallets extracted from Tldr configurations:\r\nBTC Wallet\r\nIncoming\r\nTransactions\r\nAmount\r\nFirst Transaction\r\nDate\r\n1DYwJZfyGy5DXaqXpgzuj8shRefxQ7jCEw 214 2,53308 31.05.2018\r\n1BdhCwNFzNbWoJvxrok6V7z2af7xjJLS58 23 0,313455 29.04.2019\r\n1Gx8oRKKczwdB32yiLzVx5hsjAze6g5HHw 13 0,286929 05.07.2019\r\n14GJm9M5zaX6Zyojt5yxNZcdoouJ4WPAgT 10 0,109102 31.01.2019\r\n1EN3bbs8UdVWA3i3ixtB9jQWvPnP9us4va 50 0,277109 21.02.2019\r\n1C2SvtsUu8YZVUBbha4KiBGYRW5dwtrRvd 9 0,141692 30.06.2018\r\n18bzpjFfo5JQ41GzzUNRMgcE7WwQwpqFrR 14 0,116484 12.09.2019\r\n1Bn4JYKoVgQpZ73doWVFSNZBbwKj3cpJNR 23 0,192937 28.07.2019\r\n1CUhtfNjsGMZziCVzZ4oVan9NCGriY4NDZ 14 0,139406 17.04.2019\r\n1MaN4Me35n1kM6h7JVPNUQYqYgjasEQLzs 29 0,105204 08.06.2019\r\n19mduWVW9QphW5W2caWF84wcGVSmASRYpf 8 0,016345 27.09.2019\r\n1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh 25 0,242939 18.07.2019\r\n13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa 33 0,286732 19.08.2019\r\n19B5G1ftgXRrD6GiTzThL9BiySVdf1HJZy 27 0,718224 04.12.2018\r\n1LdFFaJiM7R5f9WhUEskVCaVokVtHPHxL5 7 0,017085 30.10.2018\r\nTotal 499 5,49672513\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 6 of 10\n\nTable 4 – Phorpiex Tldr crypto-clipper BTC wallets.\r\nTherefore, in the 3 year period, crypto-clipping campaigns allowed the malware operators to steal more than 17\r\nBTC in 875 transactions, or about 5.6 BTC annually.\r\nEthereum crypto-currency wallets extracted from Trik and Tldr samples gained much less than Bitcoin wallets:\r\nETH Wallet Incoming Transactions Amount\r\n0x8b7f16faa3f835a0d3e7871a1359e45914d8c344 2 0,163207\r\n0xa9b717e03cf8f2d792bff807588e50dcea9d0b1c 2 0,1988\r\n0xff0d45f3e2ec83de3b2e069300974732ba1c5d30 9 1,827462\r\n0x373b9854c9e4511b920372f5495640cdc25d6832 2 0,096352\r\n0x87f84b56fb061f51ca709f2ac3fc6e2d4b3b8f8f 5 4,139667\r\n0xa5228127395263575a4b4f532e4f132b14599d24 3 0,092458\r\n0x43e44151ad4d625d367376a6fd3ea44c82718777 3 7,294262\r\n0x05F916216CC4BA6ac89b8093d474E2a1e6121c63 2 0,301865\r\n0xc4e6e206ddc7f83a78582fc4e5536a8ed395c5e1 1 0,017308\r\n0x74e4195d16e8887ebe6d6abde1aa38bc91e69976 2 0,039646\r\n0x08a1f48df7b6847fe8276ee55068f6cf83340c9a 0 0\r\n0xb6d8926bf0418de68a7544c717bbb4ea198769cc 9 1,240524\r\n0xab1b250d67d08bf73ac864ea57af8cf762a29649 0 0\r\n0xff8c5843e7abe2708037fc1acdca83b37466a299 11 1,911012\r\nTotal 40 17,32256\r\nTable 5 – Phorpiex crypto-clipper ETH wallets\r\nThere are only 51 transactions, with a total amount of about 17 ETH, whose current value is much less than\r\nBitcoin. However, those wallets are interesting to us for another reason. Services like etherescan.io can show if an\r\nEthereum address belongs to a particular exchange or service. For the addresses from the table, all ETH are\r\ntransferred to the address of the Cryptonator service:\r\nFigure 8 – Ethereum transactions from the Phorpiex ETH address.\r\nTherefore, we can conclude that the Ethereum addresses used in the crypto-clipping campaign are created in a\r\nCryptonator wallet. Cryptonator requires a valid email address for registration and confirmation for each new IP\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 7 of 10\n\naddress and device by email. We think that the access logs of the Cryptonator service may store the real IP\r\naddresses of the Phorpiex actors.\r\nAnother interesting fact is that some of the Ethereum wallets have collected a large number of ERC-20 tokens:\r\nFigure 9 – Ethereum ERC-20 tokens transactions to the Phorpiex ETH address.\r\nHowever, the tokens can’t be withdrawn from the wallets because Cryptonator doesn’t support tokens based on\r\nthe Ethereum blockchain. Most likely, this wasn’t taken into account by the malware actors. Therefore, token\r\ntransfers from victims are simply blackholed.\r\nComparison to the sextortion campaign\r\nWe’ve been observing the Phorpiex sextortion campaign for about half a year. During this period, we recorded\r\ntransfers of more than 14 Bitcoins [update the numbers before publication] to the Phorpiex wallets related to this\r\ncampaign. If the trend continues, the annual revenue of the sextortion campaign would be 28 Bitcoins.\r\nFigure 10 – Comparison of the Phorpiex earnings from different malicious activities.\r\nSextortion appears to be a more profitable venture than crypto-currency clipping or mining using the botnet’s\r\ncomputing power. However, those malicious activities complement each other, generating about 54.6 Bitcoins\r\nannually, which is currently about $500,000.\r\nConclusion\r\nWe inspected some of Darknet advertisements that provide prices for malware installation services. Usually\r\ninfection services prices vary from $100 to $1000 per 1000 infections, depending on the victims’ location.\r\nPhorpiex bots are mostly located in Asia – the region in which malware installation services are the cheapest.\r\nTherefore, to purchase malware infection services on the Darknet, the owners of the Phropiex botnet would pay\r\nabout $100,000. However, in addition to purchasing infections through side services like the RIG exploit kit or the\r\nSmokeloader botnet, Phropiex also uses its own distribution techniques: the VNC worm module, NetBIOS worm\r\nmodule, and file virus functionality. But even with these costs, as we can see, the creation of such a botnet appears\r\nto be very profitable.\r\nThe tools used by Phorpiex are not too sophisticated. Obviously, not much time was spent on their development.\r\nThis case shows us that such a massive botnet can be created by cybercriminals without a deep knowledge of\r\nsystem programming, cryptography, etc.\r\nThe ecosystem that currently exists in the Darknet makes it easy enough to implement almost any idea for\r\ncybercrime.\r\nIOC\r\nMD5 Description Downloaded From\r\n58198a2ebac604399c3e930207df47f1 Phorpiex Trik v5.0\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 8 of 10\n\n64990a45cf6b1b900c6b284bb54a1402 Phorpiex Tldr v3.0\r\ne5aea3b998644e394f506ac1f0f2f107 Phorpiex Tldr v2.0\r\n383498f810f0a992b964c19fc21ca398 Phorpiex Tldr v1.0\r\nafe348ff22ad43e98ee7ab19a851b817\r\nPhorpiex Tldr mod2019\r\nDropped by Trik 2019-07-23\r\nhxxp://92.63.197[.]59/lst.exe\r\nd9e59a4295926df49c8d6484aa6b8305\r\nPhorpiex Tldr\r\nDropped by RIG EK 2019-05-29\r\nhxxp://94.156.133[.]65/11.exe\r\n051356bee1541f592d66969af46feb95\r\nPhorpiex Tldr\r\nDropped by SmokeLoader 2019-\r\n05-15\r\nhxxp://ghjk78kjhb[.]net/ -\u003e\r\nhxxp://94.156.133[.]65/11.exe\r\n99a349f6b758c80e9a1b88d1895e7790 Sextortion DASH hxxp://185.176.27[.]132/4\r\nd85dcfd49b8e259f4135fa9f021f250a Sextortion BTC hxxp://thaus[.]top/7\r\n2c50efc0fef1601ce1b96b1b7cf991fb Sextortion XMR hxxp://185.176.27[.]132/6\r\n8f9b7c1c2b84b8c71318b6776d31c9af XMRig miner hxxp://185.176.27[.]132/2\r\nC\u0026C IP MD5\r\n112.126.94.107 2d33fd32d8ec7b7d0ed379b80a167ff4\r\n123.56.228.49 2d33fd32d8ec7b7d0ed379b80a167ff4\r\n172.104.40.92 2d33fd32d8ec7b7d0ed379b80a167ff4\r\n185.176.27.132 f3dcf80b6251cfba1cd754006f693a73\r\n193.32.161.69 a8ab5aca96d260e649026e7fc05837bf\r\n193.32.161.73 a24bb61df75034769ffdda61c7a25926\r\n193.32.161.77 cc89100f20002801fa401b77dab0c512\r\n87.120.37.156 97835760aa696d8ab7acbb5a78a5b013\r\n87.120.37.234 a0039fbc46f2e874f2e4151712993343\r\n87.120.37.235 f0c7f0823de1a9303aa26d058c9951a0\r\n92.63.197.106 e24b40197da64a4baa9a81cc735e839b\r\n92.63.197.112 82eecd3b80caa7d0f51aba4ee8149c1a\r\n92.63.197.153 20ef08bdae07f3494e20195e65d7b7f5\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 9 of 10\n\n92.63.197.38 49d218a1a09ba212e187dc2de923ba62\r\n92.63.197.48 1462114257a6fcc52a8782c2a2616009\r\n92.63.197.59 c63a7c559870873133a84f0eb6ca54cd\r\n92.63.197.60 82eecd3b80caa7d0f51aba4ee8149c1a\r\n94.156.133.65 b69270ee30bd20694948dba6c09ead7f\r\n95.81.1.43 5c79b524fb8d9bb4e9a3d79fe543c011\r\n124.158.10.82 1727de1b3d5636f1817d68ba0208fb50\r\n125.212.217.33 1727de1b3d5636f1817d68ba0208fb50\r\n125.212.217.30 1727de1b3d5636f1817d68ba0208fb50\r\n127.181.87.80 af1cf2281597aba08e40cf7c030d71a9\r\n183.81.171.242 53cb3f1e57fbd596463d164d1ca79a14\r\n185.189.58.222 aa0d8b2506376c95ba314e14f08a9b49\r\n220.181.87.80 f8c110929606dca4c08ecaa9f9baf140\r\n210.211.116.246 1727de1b3d5636f1817d68ba0208fb50\r\nCheck Point Anti-Bot blade provides protection against this threat:\r\nWorm.Win32.Phorpiex.C\r\nWorm.Win32.Phorpiex.D\r\nWorm.Win32.Phorpiex.H\r\nSource: https://research.checkpoint.com/2019/phorpiex-breakdown/\r\nhttps://research.checkpoint.com/2019/phorpiex-breakdown/\r\nPage 10 of 10\n\nBTC Wallet Amount Date Date\n1JWWZFUVAWvFNS2D5qwQQo4oSsseoD9kAn 0,04953613 14.08.2016 24.08.2016\n1HewcqbrkXY5iqrDqjb4j4AHiaDeobpE6P 0,00030088 21.06.2017 21.06.2017\n1KXZqR1fjAxcv1gvdmPfN2WsWsDwM7r2R2 0,0165661 18.06.2017 09.10.2018\n1of6uEzx5qfStF1HrVXaZ1eE3X4ntnbsx 5,33347017 10.08.2017 02.09.2019\n Page 5 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2019/phorpiex-breakdown/"
	],
	"report_names": [
		"phorpiex-breakdown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434882,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18f823564d4bf3fd0f289835f78e19a9970eb5ef.pdf",
		"text": "https://archive.orkl.eu/18f823564d4bf3fd0f289835f78e19a9970eb5ef.txt",
		"img": "https://archive.orkl.eu/18f823564d4bf3fd0f289835f78e19a9970eb5ef.jpg"
	}
}