> Analysis · 17960bcb0d7f_

~/packetpursuit $ cat /intel/analyses/17960bcb0d7f.../report.md

typeanalysisfamilyphorpiexconfidencemediummalware-familyphorpiexspam-botsextortionsmtp-enginezip-constructorhttp-downloadermsvcr90dropped-by-phorpiex
SHA-256: 17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3

phorpiex: 17960bcb — MSVCR90 sextortion spam bot with built-in SMTP engine, ZIP constructor, and HTTP downloader

Executive Summary

24 KB PE32 MSVC9 binary labeled dropped-by-phorpiex. Unlike the screensaver-masquerade stub sibling (755bed07), this sample is a fully self-contained sextortion spam bot: it downloads target lists and payload images via HTTP, constructs ZIP attachments containing a renamed screensaver payload, and sends sextortion emails via direct SMTP with self-spoofed sender addresses, forged Received headers, and a hardcoded Bitcoin wallet demand. No external dropper or second stage is required; the spam logic is entirely in .text.

What It Is

Field Value Source
SHA-256 17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3 triage.json
File type PE32 executable (GUI) Intel 80386, 5 sections file.txt
Size 23,552 bytes metadata.json
Compile time 2026-05-22 17:07:58 UTC pefile.txt:34, rabin2-info.txt:11
Linker 9.0, MSVC C runtime (MSVCR90.dll) exiftool.json:18
Subsystem Windows GUI pefile.txt:67
Signed No rabin2-info.txt:27
Overlay None rabin2-info.txt:23
OpenCTI label dropped-by-phorpiex metadata.json:7

Family ascription

Shares the dropped-by-phorpiex OpenCTI label and the same MSVC9/MSVCR90 build toolchain as sibling 755bed07, compiled within hours of each other (both 2026-05-22). However, the behavioral payload is entirely different: 755bed07 is a minimal stub with a hidden .rsrc payload and a decoy screensaver error dialog, while 17960bcb contains a complete SMTP client, HTTP downloader, ZIP constructor, and sextortion email template. The label likely marks a shared spam-campaign delivery channel rather than a single-codebase family.^[/intel/analyses/755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b.html]

How It Works

1. Entry & instance mutex

main() at 0x00402d70 starts with a 2-second sleep, then creates a mutex named ww88ww8w8.^[ghidra:FUN_00402d70] If GetLastError() returns 0xB7 (ERROR_ALREADY_EXISTS), the process exits immediately.^[r2:main@0x00402d70] This prevents multiple instances on the same host.

2. ADS deletion

The binary obtains its own path via GetModuleFileNameW, appends :Zone.Identifier, and deletes it via DeleteFileW.^[ghidra:FUN_00402d70] This removes the "downloaded from internet" mark that Windows adds to browser-downloaded files.

3. Connectivity probe

Calls FUN_00401c10(), which queries DNS for yahoo.com and attempts a TCP connection to port 0x19 (25/SMTP) on the resolved address.^[ghidra:FUN_00401c10] If either step fails, the process exits. This is a crude internet-connectivity and SMTP-reachability gate.

4. C2 URL decoding

Before spawning the worker thread, main() calls FUN_004013b0() to decode an encrypted URL stored at 0x0040602c.^[ghidra:FUN_004013b0] The decoder uses a 4-byte XOR key {0x54,0x6d,0x6c,0x72} ("Tmlr") applied cyclically, followed by a bitwise NOT (~) on each byte. The decoded string becomes the base URL for all subsequent HTTP fetches.

5. Worker thread (FUN_004028f0)

Spawned via CreateThread with the decoded URL as argument.^[ghidra:FUN_00402d70] It:

  1. Seeds the CRT RNG with GetTickCount().
  2. Generates a random hostname string (used later for SMTP EHLO) via FUN_004014d0().
  3. Expands %temp% to a working directory.
  4. Downloads [base]n.txt (a count/iteration file) and [base]a (a payload image) via HTTP using a hardcoded Chrome 96 User-Agent.^[ghidra:FUN_00401c80]^[strings.txt:9]
  5. If both downloads succeed, it constructs a ZIP file via FUN_004030f0() containing the downloaded payload renamed to Pervert.scr.^[ghidra:FUN_004030f0]
  6. Base64-encodes the ZIP into another temp file via FUN_00401000().
  7. Enters the spam loop:
    • Downloads [base][N].txt (email target list) where N is a random index up to the count read from n.txt.
    • For each target file, spawns 5,000 threads (100 outer batches × 50 inner threads) calling FUN_00402790(), each sending one email.
    • Sleeps 6000ms between batches.
    • Deletes temp files after each batch.
    • Re-fetches n.txt on every iteration; exits when the count drops to zero or below.

6. SMTP engine (FUN_00401d90)

Each worker thread calls FUN_00401d90() with the recipient address.^[ghidra:FUN_00401d90] The function:

  1. Resolves the recipient domain's MX (via FUN_00402770) and connects to port 25.
  2. Runs a state-machine SMTP client:
    • State 1: reads banner, sends EHLO or HELO with the random hostname.
    • State 3: MAIL FROM: using the recipient's own address (self-spoofing).
    • State 4: RCPT TO: the target.
    • State 5: DATA.
    • State 6: constructs the full MIME message with:
      • Two forged Received headers (MailEnable ESMTP + qmail) with random IP octets.^[strings.txt:22-23]
      • Self-spoofed From: and To:.
      • Subject: YOU PERVERT! I RECORDED YOU!^[strings.txt:154]
      • Date and Message-ID with random components.
      • Content-Type: multipart/mixed with a random boundary.
      • Text body: full sextortion message demanding $1200 USD in Bitcoin (BTC) to wallet 1G1zmqks1vd9V3SdxCY71Hv9C7rHBLQbCY.^[strings.txt:34-59]
      • Attachment: Pervert.zip with Content-Transfer-Encoding: base64, streamed from the base64-encoded temp file line-by-line via fscanf(..., "%s\n").
    • State 7: sends QUIT.

7. ZIP constructor (FUN_004030f0)

Manually assembles a standards-compliant ZIP file without using any ZIP library:^[ghidra:FUN_004030f0]

  • Writes a local file header (0x04034b50), file name (Pervert.scr), and payload data.
  • Appends a central directory header (0x02014b50).
  • Finishes with an end-of-central-directory record (0x06054b50).
  • Uses a fabricated DOS timestamp from FUN_00403470() (constrained to 1999–2004).

C2 Infrastructure

Component Observation Inference
Base URL Encrypted at 0x40602c, decoded at runtime The actual C2 domain is not recoverable statically without reimplementing the decoder
Download paths [base]n.txt, [base]a, [base][N].txt Count file, payload image, and per-target email lists
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... Chrome/96.0.4664.110 Hardcoded, used for all HTTP fetches^[strings.txt:9]
SMTP port 25 (direct MX connect) No relay or authenticated submission
Bitcoin wallet 1G1zmqks1vd9V3SdxCY71Hv9C7rHBLQbCY Hardcoded in email template^[strings.txt:57]
Mutex ww88ww8w8 Instance singleton^[strings.txt:155]
Attachment name Pervert.zip containing Pervert.scr Social-engineering lure^[strings.txt:62,64]

Interesting Tidbits

  • Fresh build: compiled 2026-05-22, same day as sibling 755bed07 — suggesting a coordinated campaign build pipeline.^[pefile.txt:34]
  • Self-spoofing: the MAIL FROM address is the victim's own email, making SPF/DKIM failures obvious but still effective against casual recipients.
  • Thread storm: 5,000 concurrent SMTP threads with 50ms jitter between spawns is an aggressive design that will exhaust local ephemeral ports and likely trigger rate limits quickly.
  • No TLS: SMTP connection is plaintext (socket + connect, no STARTTLS or SSL imports observed).^[pefile.txt:292-303]
  • ZIP hand-rolled: the author wrote raw ZIP header math rather than linking zlib or zipfldr.dll, indicating a deliberate minimal-dependency build.^[ghidra:FUN_004030f0]
  • Chrome 96 UA: Chrome 96 was released November 2021; the UA is stale but generic enough to blend in.

How To Mess With It (Homelab Replication)

Toolchain: Visual Studio 2008 (MSVCR90), Win32 Release, /MT /O2 /GS- /SUBSYSTEM:WINDOWS.

Key components to replicate:

  1. XOR+NOT string decoder — 4-byte cyclic key then ~byte.
  2. Manual ZIP writer — write 0x04034b50, 0x02014b50, 0x06054b50 structures with DOS date fields.
  3. SMTP state machine — raw WinSock to port 25, parse banner for ESMTP, send EHLO/HELO → MAIL FROM → RCPT TO → DATA → QUIT.
  4. Base64 streamer — read a file line-by-line and inject into MIME body.

Verification: Run in a sandbox with a local SMTP honeypot (e.g., inetd + nc) and HTTP server serving n.txt, a, and 1.txt. Observe the ZIP construction and email format.

Deployable Signatures

YARA rule

rule phorpiex_sextortion_spam_bot {
    meta:
        description = "Phorpiex sextortion spam bot — SMTP engine, ZIP constructor, HTTP downloader"
        author = "Titus — PacketPursuit"
        hash = "17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3"
        date = "2026-06-03"
    strings:
        $mutex = "ww88ww8w8" ascii wide
        $ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" ascii wide
        $btc = "1G1zmqks1vd9V3SdxCY71Hv9C7rHBLQbCY" ascii
        $subject = "YOU PERVERT! I RECORDED YOU!" ascii wide
        $zip_name = "Pervert.zip" ascii wide
        $scr_name = "Pervert.scr" ascii wide
        $esmtp = "ESMTP" ascii
        $mail_from = "MAIL FROM: %s\r\n" ascii
        $rcpt_to = "RCPT TO: <%s>\r\n" ascii
        $mailenable = "MailEnable ESMTP" ascii
        $qmail = "qmail %s invoked by uid %s" ascii
        $msvcr90 = "MSVCR90.dll" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize < 35KB and
        pe.number_of_sections == 5 and
        $msvcr90 and
        5 of ($mutex, $ua, $btc, $subject, $zip_name, $scr_name) and
        3 of ($esmtp, $mail_from, $rcpt_to, $mailenable, $qmail)
}

Sigma-like behavioral hunt

title: Phorpiex Sextortion Spam Bot Execution
detection:
    selection_mutex:
        - CreateMutexA|contains: 'ww88ww8w8'
    selection_process:
        - Image|endswith: '.exe'
    selection_network:
        - InitiatedConnection|dest_port: 25
        - InitiatedConnection|dest_port: 80
        - InitiatedConnection|dest_port: 443
    selection_file:
        - FileCreated|endswith: 'Pervert.scr'
        - FileCreated|endswith: 'Pervert.zip'
    condition: selection_process and (selection_mutex or (selection_network and selection_file))

IOC list

Type Value Note
SHA256 17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3 This sample
Mutex ww88ww8w8 Instance singleton
Bitcoin wallet 1G1zmqks1vd9V3SdxCY71Hv9C7rHBLQbCY Hardcoded demand
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 HTTP fetch UA
Attachment Pervert.zip / Pervert.scr Social engineering lure
SMTP self-spoof MAIL FROM: == victim address Header forgery pattern
Fake header Received: from ... by ... with MailEnable ESMTP
Fake header Received: (qmail ... invoked by uid ...)
Network TCP/25 to resolved MX Direct SMTP
Network HTTP GET to [base]n.txt, [base]a, [base][N].txt Payload staging

Behavioral fingerprint

This 24 KB PE32 GUI executable links against MSVCR90 and imports WININET, WS2_32, DNSAPI, SHLWAPI, and KERNEL32. On launch it sleeps 2 seconds, creates mutex ww88ww8w8, deletes its own Zone.Identifier ADS, probes DNS for yahoo.com and tests SMTP port 25 reachability. It then decodes an encrypted base URL via XOR-with-"Tmlr" followed by bitwise NOT, downloads n.txt (iteration count) and a (payload image) over HTTP with a Chrome 96 User-Agent, constructs a ZIP file containing the image renamed to Pervert.scr, base64-encodes the ZIP, and sends sextortion emails via direct SMTP to targets downloaded as numbered .txt files. Each email self-spoofs the sender address, includes forged MailEnable/qmail Received headers, demands $1200 BTC to wallet 1G1zmqks1vd9V3SdxCY71Hv9C7rHBLQbCY, and attaches the base64-encoded ZIP as Pervert.zip. The bot spawns up to 5,000 concurrent SMTP threads per target list with 50ms jitter.

Detection Signatures (capa→ATT&CK)

  • (capa unavailable — signature database not installed on this host)

Static inferred TTPs:

  • T1566.001 — Phishing: Spearphishing Attachment (sextortion email with Pervert.zip)
  • T1071.003 — Application Layer Protocol: Mail Protocols (direct SMTP to port 25)
  • T1048 — Exfiltration Over Alternative Protocol (SMTP used as communication channel)
  • T1027.002 — Obfuscated Files or Information: Software Packing (ZIP construction, base64 encoding of payload)
  • T1497.001 — Virtualization/Sandbox Evasion: System Checks (DNS+yahoo.com connectivity gate before main behavior)
  • T1204.002 — User Execution: Malicious File (initial delivery vector, per OpenCTI label)

References

  • OpenCTI artifact: e1de6d4f-f619-42d4-87a0-27e926b30528
  • MalwareBazaar sample page: https://bazaar.abuse.ch/sample/17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3/
  • Sibling analysis: /intel/analyses/755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b.html
  • Phorpiex entity: entities/phorpiex.md

Provenance

  • Static artifacts: file, pefile, exiftool, strings, ssdeep, tlsh, yara, rabin2, binwalk — generated by triage-fast pipeline (2026-05-26).
  • Decompilation: radare2 pdc and Ghidra pseudo-C (function-level).
  • No CAPE detonation: dynamic-analysis.md flags "skipped — no CAPE machine currently available for platform windows."