025f57988953e3d23e1657a9af5610887e57c5390a82f73b4b2b99c30eef3b70phorpiex: 025f5798 — MSVC9 thin HTTP downloader, earlier build (13:06 UTC) missing 15.exe payload
Executive Summary
A confirmed campaign sibling of phorpiex downloader 6b8527a7. Same 10 KB PE32 MSVC9 build, same C2 (178.16.54.109), same payload naming convention (14.exe, peinf.exe, xmr.exe, xmrget.exe, grab.exe), same marker-file gating, same dual WinInet+URLMon fetch, same Zone.Identifier cleanup, same x64+Win11 build gating via RtlGetVersion. The only material delta: compiled 3 hours 51 minutes earlier (2026-05-22 13:06:11 UTC vs 16:56:51 UTC) and omits the 15.exe fetch present in the later build. Static-only (no CAPE). ^[rabin2-info.txt:11] ^[pefile.txt:33]
What It Is
| Field | Value |
|---|---|
| SHA-256 | 025f57988953e3d23e1657a9af5610887e57c5390a82f73b4b2b99c30eef3b70 |
| File type | PE32 executable (GUI) Intel 80386, 5 sections ^[file.txt] |
| Size | 10 240 bytes |
| Linker | MSVC 9.0 (Visual Studio 2008) ^[exiftool.json:18] |
| CRT | MSVCR90.dll, manifest dependency on VC90.CRT 9.0.21022.8 ^[strings.txt:73] |
| Compile timestamp | 2026-05-22 13:06:11 UTC ^[pefile.txt:33] |
| Entry point | 0x1875 (standard __tmainCRTStartup → main) ^[pefile.txt:50] |
| Signed | No ^[rabin2-info.txt:27] |
| Packed | No ^[binwalk.txt] |
| CAPE detonation | Skipped — no Windows guest available ^[dynamic-analysis.md] |
OpenCTI label: dropped-by-phorpiex. Confidence medium — umbrella campaign label. For complete family characterization, shared build traits, and full TTP mapping, see /intel/analyses/6b8527a7f761e8a5489b81ea8a79cbbbd9c09485b9b5d7c28cd892ef66599339.html and entities/phorpiex.md. This report covers only per-sample deltas.
Decompiled Behavior
Entry point is honest MSVCR90 CRT: __wgetmainargs → __tmainCRTStartup → main at 0x4014b3. No initterm hijack. ^[r2:entry0]
main sleeps 2000 ms, then drives a flat sequential fetch: ^[r2:sym.main]
- Download
http://178.16.54.109/14.exe→ write%TEMP%\<rand>_<rand>.exe→ execute viaCreateProcessW(CREATE_NO_WINDOW) withShellExecuteWfallback. - Download
http://178.16.54.109/peinf.exe→ same write+execute. - Gate A — check
%appdata%\d3333333333333333333.txt. If absent, create and proceed; else skip to Gate D. - Gate B —
PathFileExistsW("%SYSTEMDRIVE%\Program Files (x86)")(x64 indicator). ^[r2:fcn.004013e5] - If Gate B passes: download
xmr.exe→ execute. - Gate C —
RtlGetVersionviaGetProcAddress(ntdll.dll); requireMajor==10,Minor==0,BuildNumber>0x55f0(Win11 / recent Win10). ^[r2:fcn.00401435] - If Gate C passes: download
xmrget.exe→ execute. - Gate D — check
%appdata%\f3f3f3d3d.txt. If absent, create and proceed; else return. - If Gate D passes: download
grab.exe→ execute.
Downloader Routine (fcn.004010a8)
Identical to sibling 6b8527a7: ^[r2:fcn.004010a8]
- Seed PRNG with
GetTickCount(). InternetOpenWwith hardcoded Chrome 128 UA (Win64; x64from a 32-bit binary).- WinInet primary:
InternetOpenUrlW→InternetReadFile(4 KB chunks) →CreateFileW→WriteFile. DeleteFileWon%s:Zone.Identifierto strip origin ADS.- Sleep 1 s, then execution helper.
- Fallback: random sleep up to ~5 min (
rand() % 0xEA60 * 5), regenerate filename,URLDownloadToFileW. - Repeat Zone.Identifier deletion and execution.
Execution Helper (section..text @ 0x401000)
^[r2:section..text]
CreateProcessWwithdwCreationFlags = 0x20(CREATE_NO_WINDOW).- On failure:
ShellExecuteW(hwnd=NULL, verb=L"open", file=path, nShowCmd=0)(SW_HIDE). - Sleep 1 s, close handles.
Marker-File Gates
- Gate A (
fcn.004012fb): expand%appdata%,PathCombineW→d3333333333333333333.txt,CreateFileWif absent. - Gate D (
fcn.00401370): expand%appdata%,PathCombineW→f3f3f3d3d.txt,CreateFileWif absent. ^[r2:fcn.004012fb] ^[r2:fcn.00401370]
Build Gating
- x64 detection:
PathFileExistsW("%SYSTEMDRIVE%\Program Files (x86)")— cheap architecture probe. ^[r2:fcn.004013e5] - OS build detection: load
ntdll.dll→ resolveRtlGetVersion→ populate0x114-byteRTL_OSVERSIONINFOW→ checkdwMajorVersion==10,dwMinorVersion==0,dwBuildNumber>0x55f0(21999). ^[r2:fcn.00401435]
No IsDebuggerPresent call in execution path (import appears as unused CRT artifact). No VM checks. No string encryption. No packing.
C2 Infrastructure
Single cleartext HTTP IP. No domain, no HTTPS, no rotation.
| URL | Purpose | Gate |
|---|---|---|
http://178.16.54.109/14.exe |
Generic payload | None |
http://178.16.54.109/peinf.exe |
Generic payload | None |
http://178.16.54.109/xmr.exe |
Likely cryptominer | x64 Windows |
http://178.16.54.109/xmrget.exe |
Likely cryptominer fetcher | x64 + Build >21999 |
http://178.16.54.109/grab.exe |
Likely infostealer/grabber | Marker file D |
Delta from sibling 6b8527a7: 15.exe is absent from both strings and decompiled flow. Likely added in the later 16:56 build. ^[strings.txt] ^[r2:sym.main]
Deploy / ATT&CK
Static-only inference. No runtime data.
| Technique | ID | Evidence |
|---|---|---|
| User Execution: Malicious File | T1204.002 | Spam-delivered PE32 executable ^[metadata.json] |
| Ingress Tool Transfer | T1105 | WinInet/URLMon HTTP download of follow-on payloads ^[r2:fcn.004010a8] |
| Deobfuscate/Decode Files or Information | T1140 | Zone.Identifier ADS deletion post-download ^[r2:fcn.004010a8] |
| Indicator Removal: File Deletion | T1070.004 | DeleteFileW on origin marker ^[r2:fcn.004010a8] |
| System Information Discovery | T1082 | RtlGetVersion via GetProcAddress to gate mining payload ^[r2:fcn.00401435] |
| System Owner/User Discovery | T1033 | %appdata% path expansion for marker files ^[r2:fcn.004012fb] |
| Obfuscated Files or Information | T1027 | Randomized %TEMP% filenames (%s\\%d%d.exe) with PRNG seeded on GetTickCount ^[r2:fcn.004010a8] |
| Create Process | T1106 | CreateProcessW with CREATE_NO_WINDOW for stealth execution ^[r2:section..text] |
| Command Execution | T1059.001 | ShellExecuteW fallback with verb=open ^[r2:section..text] |
No persistence mechanism observed in this binary. The downloader writes no Run keys, tasks, or services. Persistence relies on spam re-delivery or follow-on payloads.
Deployable Signatures
YARA
rule phorpiex_msvc9_thin_downloader {
meta:
description = "Phorpiex campaign MSVC9 thin HTTP downloader (10 KB, dual-fetch, Zone.Identifier cleanup)"
author = "triage"
reference = "/intel/analyses/025f57988953e3d23e1657a9af5610887e57c5390a82f73b4b2b99c30eef3b70.html"
date = "2026-06-07"
hash = "025f57988953e3d23e1657a9af5610887e57c5390a82f73b4b2b99c30eef3b70"
strings:
$ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" wide
$ip = "http://178.16.54.109/" ascii
$zone = "%s:Zone.Identifier" wide
$marker_a = "d3333333333333333333.txt" wide
$marker_b = "f3f3f3d3d.txt" wide
$temp_fmt = "%s\\%d%d.exe" wide
$crt = "MSVCR90.dll" ascii
$wininet = "WININET.dll" ascii
$urlmon = "urlmon.dll" ascii
$manifest_v1 = "Microsoft.VC90.CRT" ascii
condition:
uint16(0) == 0x5A4D and
filesize < 15KB and
pe.number_of_sections == 5 and
pe.imports("MSVCR90.dll", "_snwprintf") and
pe.imports("MSVCR90.dll", "srand") and
pe.imports("WININET.dll", "InternetOpenW") and
pe.imports("urlmon.dll", "URLDownloadToFileW") and
4 of ($ua, $ip, $zone, $marker_a, $marker_b, $temp_fmt)
}
Behavioral Fingerprint
A ~10 KB PE32 MSVC9 executable compiled May 2026, linking MSVCR90.dll, WININET.dll, urlmon.dll, and SHLWAPI.dll. On launch it sleeps 2 seconds, then fetches up to five payloads over cleartext HTTP from 178.16.54.109 using a hardcoded Chrome 128 64-bit User-Agent. Downloads are written to randomly-named files in %TEMP% before the Zone.Identifier ADS is deleted. Execution uses CreateProcessW (CREATE_NO_WINDOW) with a ShellExecuteW fallback. Two marker files in %appdata% (d3333333333333333333.txt, f3f3f3d3d.txt) gate later payloads. Architecture and OS build gating (RtlGetVersion, PathFileExistsW on Program Files (x86)) steer cryptocurrency mining payloads toward modern x64 Windows hosts. No packing, no string encryption, no persistence.
IOCs
| Indicator | Type | Context |
|---|---|---|
025f57988953e3d23e1657a9af5610887e57c5390a82f73b4b2b99c30eef3b70 |
SHA-256 | This sample |
178.16.54.109 |
IP | C2 server |
http://178.16.54.109/14.exe |
URL | Generic payload |
http://178.16.54.109/peinf.exe |
URL | Generic payload |
http://178.16.54.109/xmr.exe |
URL | Likely cryptominer (gated) |
http://178.16.54.109/xmrget.exe |
URL | Likely cryptominer fetcher (gated) |
http://178.16.54.109/grab.exe |
URL | Likely infostealer (gated) |
%appdata%\d3333333333333333333.txt |
File | Marker gate A |
%appdata%\f3f3f3d3d.txt |
File | Marker gate D |
%TEMP%\<rand>_<rand>.exe |
File | Staged payload |
Interesting Tidbits
- Live campaign, two builds in one day:
025f57compiled at 13:06 UTC; sibling6b8527a7at 16:56 UTC — a 3h51m iteration cycle adding15.exe. Rapid iteration suggests active A/B testing or incremental payload expansion. ^[pefile.txt:33] - Honest entry point: Unlike older Phorpiex siblings (e.g.
755bed07) that hijack_inittermto stage payload beforemain(), both025f57and6b8527a7use a standard CRT startup →main()flow. Theinittermtechnique appears to have been retired in this campaign wave. ^[r2:entry0] - Zero anti-analysis beyond Sleep: No
IsDebuggerPresentusage, no VM checks, no export obfuscation, no API hashing. The binary is functionally transparent — a sign of crimeware commodity tooling optimized for volume over stealth. ^[r2:sym.imp.KERNEL32.dll_IsDebuggerPresent]
References
- Sibling analysis: /intel/analyses/6b8527a7f761e8a5489b81ea8a79cbbbd9c09485b9b5d7c28cd892ef66599339.html
- Family entity: phorpiex
- Technique: wininet-urlmon-dual-download
- Technique: marker-file-mutex-gating
Provenance
file.txt—filecommand outputpefile.txt—pefilepython library header dumprabin2-info.txt— radare2rabin2 -Isummarystrings.txt—strings -n 6raw ASCII/Unicode stringsyara.txt—yararules outputexiftool.json— ExifTool PE metadatadynamic-analysis.md— CAPE status (skipped)- Radare2 analysis: level-3 analysis (
aaa), decompilation viapdcon functionsentry0,main,fcn.004010a8,fcn.00401000,fcn.004012fb,fcn.00401370,fcn.004013e5,fcn.00401435