Phorpiex: 755bed07 — screensaver masquerade MSVCR90 stub, .rsrc payload staging

Executive Summary

21 KB PE32 MSVC9 stub masquerading as a Microsoft screen saver. Decoy main() pops a fake DLL-error dialog while the real payload is believed staged inside a 15 KB high-entropy .rsrc icon resource. No dynamic execution available (CAPE Windows guest offline); mechanism inferred statically from PE layout, entropy, and IAT profile.

What It Is

Phorpiex attribution

This label applies to dozens of corpus samples; they share no single build fingerprint but cluster as spam-delivered droppers/stagers historically attributed to the Phorpiex botnet. The screensaver masquerade, tiny IAT, and resource-payload pattern match documented Phorpiex dropper behavior.

How It Works

1. Decoy main()

main() at 0x401000 does exactly three things:^[r2:main@0x401000]^[pefile.txt:50]

1. Sleep(2000) — two-second delay.
2. MessageBoxA(NULL, "msaqpaint.dll cannot be found!", "Microsoft Screen Saver", MB_ICONERROR) — fake error to convince the user the binary is a benign screensaver helper.
3. Returns 0.

No file, registry, or network APIs are reached from main(). The function is pure social engineering.

2. CRT startup flow

Standard MSVCR90 _tmainCRTStartup at 0x401073:

• Calls IsDebuggerPresent() via KERNEL32 IAT.^[strings.txt:45]
• Runs initterm table (single entry: _getmainargs wrapper at 0x401028).
• Invokes main().
• Calls _cexit / _XcptFilter on termination.

No anti-debug response to IsDebuggerPresent is observable in this binary; the check is a routine CRT artifact, not a deliberate evasion gate.

3. Payload staging — .rsrc section

The .rsrc section is abnormally large for a 21 KB binary:^[pefile.txt:139-156]

• Size: 0x3A30 (14 896 bytes) — 45.9% of total file size.
• Entropy: 7.899 / 8.0 — near-maximum, consistent with compressed or encrypted data.
• Contains one RT_ICON resource (ID 1, 0x36DC bytes at offset 0x40E8).^[pefile.txt:302-338]
• binwalk identifies a PNG header (PNG\r\n) at offset 0x16E8 (file offset) inside the resource data.^[binwalk.txt:5]

Interpretation: the RT_ICON entry likely stores a fake/decoy PNG image header followed by a compressed or encrypted payload. The high entropy and oversized resource section are the only evidence of hidden payload material; no static tool extracted it.

4. Minimal IAT

Import table is stripped to the bone — only 13 KERNEL32 thunks + 1 USER32 + 27 MSVCR90:^[pefile.txt:229-298]

• KERNEL32: IsDebuggerPresent, Sleep, GetStartupInfoA, SetUnhandledExceptionFilter, basic thread/time utils.
• USER32: MessageBoxA only.
• MSVCR90: full CRT runtime (heap, locks, exception handling).

Missing: CreateFileA, WinExec, VirtualAlloc, VirtualProtect, CreateProcess, RegSetValue, socket, InternetOpen, URLDownloadToFile — none appear in the IAT.

This implies payload delivery occurs via runtime API resolution (PEB walking, GetProcAddress via ordinal/hash, or reflective mapping) or the payload resides entirely in the resource section and is extracted/decrypted by code inside .text that resolves its own imports. The .text section shows 17.6% high-byte density and entropy 5.55, which is elevated for a simple CRT stub; there may be a small decoder loop or XOR routine hidden inside it. Without dynamic execution we cannot confirm the exact mechanism.

C2 Infrastructure

Unknown / runtime-resolved. No hardcoded IPs, domains, URLs, mutexes, or pipe names were found in any string extraction.^[strings.txt]^[floss.txt]^[capa.txt]

The .rsrc payload may contain C2 config; extraction requires either:

• Runtime detonation with API hooking (CAPE unavailable).
• Custom unpacker that strips the PNG header and decompresses/decrypts the blob.

Interesting Tidbits

• Fresh compile: 2026-05-22, three days before triage. Short shelf-life typical of spam campaigns.^[pefile.txt:34]
• Screensaver social engineering: masquerades as Microsoft Screen Saver (legitimate Windows feature name) and references a non-existent msaqpaint.dll. Users familiar with screen saver .scr files may be tricked.^[strings.txt:6-7]
• Manifest dependency: declares dependency on Microsoft.VC90.CRT version 9.0.21022.8, x86, public key token 1fc8b3b9a1e18e3b. This is the genuine Visual C++ 2008 redistributable manifest.^[strings.txt:62-74]
• No TLS callbacks, no reloc overwriting: clean standard PE with standard .reloc section. No anti-disassembly tricks visible in the entry path.

How To Mess With It (Homelab Replication)

Toolchain:

• Visual Studio 2008 (or Visual C++ 2008 Express) with MSVCR90 runtime
• Target: Win32, Release, static MSVCR90
• Subsystem: Windows

Compiler/linker flags:

/O2 /MT /W4 /GS- /SUBSYSTEM:WINDOWS

Source skeleton (produces comparable PE):

#include <windows.h>
#include <stdio.h>

int main(void) {
    Sleep(2000);
    MessageBoxA(NULL, "helper.dll cannot be found!", "Microsoft Screen Saver", MB_ICONERROR);
    return 0;
}

Verification:

• Compare capa output (should match minimal capability set).
• Compare section entropy — .rsrc should be tiny; to match this sample, embed a large compressed blob as an RT_ICON resource.

Deployable Signatures

YARA rule

rule phorpiex_screensaver_stub {
    meta:
        description = "Phorpiex spam dropper — screensaver masquerade with oversized .rsrc"
        author = "Titus — PacketPursuit"
        hash = "755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b"
        date = "2026-06-02"
    strings:
        $msg1 = "Microsoft Screen Saver" ascii wide
        $msg2 = "msaqpaint.dll cannot be found!" ascii wide
        $manifest = "Microsoft.VC90.CRT" ascii wide
        $crt = "MSVCR90.dll" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize < 30KB and
        pe.number_of_sections == 5 and
        pe.rich_signature.offset > 0 and
        for any i in (0 .. pe.number_of_resources - 1):
            (pe.resources[i].type == pe.RESOURCE_TYPE_ICON and pe.resources[i].size > 0x2000) and
        all of ($msg*) and
        $crt
}

Sigma-like behavioral hunt

title: Phorpiex Screensaver Stub Execution
detection:
    selection_process:
        - Image|endswith:
            - '.scr'
            - '.exe'
    selection_strings:
        - CommandLine|contains: 'Screen Saver'
    condition: selection_process and selection_strings

IOC list

Behavioral fingerprint

This binary is a 21 KB PE32 GUI executable linked against MSVCR90 with an unusually large .rsrc section (~15 KB, entropy ~7.9). It imports only KERNEL32 basic APIs and USER32.MessageBoxA. On execution it sleeps 2 seconds, then displays a fake "Microsoft Screen Saver" error dialog citing a missing msaqpaint.dll. No file-write, registry, or network calls appear in the IAT; the payload is believed hidden inside the resource icon blob and delivered via runtime API resolution or reflective injection.

Detection Signatures (capa→ATT&CK)

• (capa unavailable — signature database not installed on this host)

Static inferred TTPs:

• T1204.002 — User Execution: Malicious File (spam-delivered PE)
• T1036 — Masquerading (Microsoft Screen Saver identity)
• T1027.002 — Obfuscated Files or Information: Software Packing (rsrc payload staging)
• T1055 — Process Injection (inferred — payload likely injects or reflects into another process)
• T1497.001 — Virtualization/Sandbox Evasion: System Checks (IsDebuggerPresent via CRT)

References

• OpenCTI artifact: 3a0a8d7e-ab53-4158-95d7-66e0a4aaf8fa
• MalwareBazaar sample page: https://bazaar.abuse.ch/sample/755bed077773b6cc7bea81ff624ded0554784accd5745d734742dafb73833b6b/
• Phorpiex overview: https://securityintelligence.com/news/phorpiex-botnet-resurfaces-tldr-variant/

Provenance

• Static artifacts: file, pefile, exiftool, strings, ssdeep, tlsh, yara, rabin2, binwalk — generated by triage-fast pipeline (2026-05-26).
• Decompilation: radare2 pdc (function-level pseudo-C).
• No CAPE detonation: dynamic-analysis.md flags "skipped — no CAPE machine currently available for platform windows."