typeanalysisfamilyphorpiexconfidencemediumcreated2026-06-07updated2026-06-07malware-familyloaderspamsextortionsmtp-clientzip-constructorhttp-downloadermsvcr90dropped-by-phorpiex

SHA-256: bb77ef06de83dc5e450572c04f69224c44786bda5eadc9e7a698dc4ef1445edf

phorpiex: bb77ef06 — $500 USD sextortion spam bot, earliest known May-22 campaign build

Executive Summary

A 19 KB PE32 MSVC9 sextortion spam bot, compiled 2026-05-22 13:05:10 UTC — the earliest known build in the May 22 Phorpiex campaign cluster. It shares 100 % of the architectural DNA with siblings 17960bcb and 150e4652 (same SMTP engine, ZIP constructor, thread-storm delivery, XOR+NOT string decryption), but carries three material deltas: a $500 USD ransom demand (vs $1200 in later builds), mutex efaefaef (vs ww88ww8w8 / dd3ff3f3f), and a Chrome/202 User-Agent (vs Chrome/96). The Bitcoin wallet is also distinct. Static-only; no CAPE detonation.

What It Is

Field	Value	Source
SHA-256	`bb77ef06de83dc5e450572c04f69224c44786bda5eadc9e7a698dc4ef1445edf`	triage.json
File type	PE32 executable (GUI) Intel 80386, 5 sections	file.txt
Size	18 944 bytes	metadata.json
Compile time	2026-05-22 13:05:10 UTC	pefile.txt:34, rabin2-info.txt:11
Linker	9.0 (MSVC C runtime, MSVCR90.dll)	exiftool.json:18
Subsystem	Windows GUI	pefile.txt:67
Signed	No	rabin2-info.txt:27
Overlay	None	binwalk.txt
OpenCTI labels	`dropped-by-phorpiex`, `exe`, `malware-bazaar`	metadata.json
Family	phorpiex (medium confidence)	triage.json

Family ascription

This sample is a confirmed campaign sibling of the 17960bcb / 150e4652 sextortion spam bot cluster. The evidence:

Same MSVC9/MSVCR90 build toolchain, Linker 9.0, 5-section PE32, Windows GUI subsystem.
Same entry flow: Sleep(2000) → CreateMutexA → DeleteFileW(:Zone.Identifier) → WSAStartup → DNS MX probe → XOR+NOT C2 decode → thread spawn.
Same embedded SMTP dialogue strings (EHLO, HELO, MAIL FROM, RCPT TO, DATA).
Same ZIP constructor pattern (local file header → central directory → EOCD with CRC32).
Same thread-storm architecture (100 outer × 50 inner threads, 50–82 ms jitter, 6000 ms batch sleep).
Same XOR+NOT string decryption with cyclic key "Tmlr" ^[pefile.txt:34] ^[rabin2-info.txt:11].

Per-sample deltas (detailed below): mutex name, BTC wallet, ransom amount, Chrome UA version.

For the full shared architecture — SMTP state machine, ZIP constructor, HTTP downloader, and base64 MIME encoding — see sibling reports:

/intel/analyses/17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3.html — $1200 variant, mutex ww88ww8w8
/intel/analyses/150e46523ae4a3e90ce949f15630b2f07d475d3a781188301edded1d527f03af.html — $1200 variant, mutex dd3ff3f3f

How It Works

Entry point and main() flow

entry0 at 0x00402bc7 is standard MSVCR90 CRT startup (__tmainCRTStartup). No initterm hijack. ^[r2:entry0@0x00402bc7]

main at 0x00402750 ^[r2:main@0x00402750]:

Sleep(2000) — 2-second delay.
CreateMutexA("efaefaef") — single-instance mutex. If GetLastError() == ERROR_ALREADY_EXISTS (0xB7), exits. ^[r2:main@0x00402750]
Deletes its own Zone.Identifier ADS via DeleteFileW. ^[r2:main@0x00402750]
WSAStartup(0x0202, ...) — initializes Winsock. ^[r2:main@0x00402750]
Calls fcn.00401760 (DNS MX resolver for yahoo.com). If the probe fails, exits. ^[r2:fcn.00401760]
Decodes encrypted C2 URL at 0x00406034 via the XOR+NOT decryptor in .text (same algorithm as siblings: cyclic key 0x54 0x6d 0x6c 0x72 / "Tmlr", then bitwise NOT). ^[r2:main@0x004027fb]
Spawns worker thread fcn.004024a0 with the decoded URL as argument. ^[r2:main@0x004027fb]
Enters an infinite Sleep(0xcdfe600 = 216000000 ms ≈ 60 hours) — the main thread never terminates voluntarily.

Worker thread (fcn.004024a0)

Identical architecture to sibling 17960bcb: ^[r2:fcn.004024a0]

Seeds srand(GetTickCount()).
Calls fcn.004017d0 — generates a random hostname (3–15 lowercase letters via rand() % 13 + 3 then rand() % 26 + 'a'). Used for SMTP EHLO / HELO. ^[r2:fcn.00401760], ^[r2:fcn.00401390]
Expands %temp% via ExpandEnvironmentStringsW.
Downloads [base]n.txt (iteration count) and [base]a (payload image) via HTTP using InternetOpenW with Chrome 202 UA. ^[r2:fcn.004018d0]
If atoi(n.txt) <= 0, thread exits via ExitThread(0).
Spawns 5 000 threads (100 outer batches × 50 inner threads) calling fcn.00402370, each sending one email. ^[r2:fcn.004024a0]
50–82 ms jitter (rand() % 50 + 50) between thread spawns; 6000 ms sleep between outer batches. ^[r2:fcn.004024a0]
Cleans up temp files (DeleteFileW) after each batch.
Re-fetches n.txt each iteration; exits when count drops below 1.

SMTP engine (fcn.004019e0 / fcn.00402370)

7-case switch-state SMTP client over raw TCP/25, identical to siblings: ^[r2:fcn.004019e0]

Case 0: Reads server banner, checks for "ESMTP" via StrStrA.
Case 2: MAIL FROM: <%s>\r\n — self-spoofed using the victim's own address.
Case 3: RCPT TO: <%s>\r\n.
Case 4: DATA\r\n.
Case 5: Assembles full MIME multipart message with forged Received headers (MailEnable ESMTP + qmail), self-spoofed From:/To:, Message-ID, random boundary, sextortion text body, and base64-encoded ZIP attachment.
Case 6: QUIT.

ZIP constructor

Manually assembles a standards-compliant ZIP in %TEMP% with local file header (0x04034b50), central directory (0x02014b50), and EOCD (0x06054b50), using a CRC32 lookup table (polynomial 0xEDB88320). The embedded payload image is renamed to Pervert.scr inside the ZIP. ^[/intel/analyses/17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3.html]

C2 Infrastructure

Component	Observation
Base URL	XOR+NOT encrypted at `0x406034`; not recoverable statically without reimplementing the decoder
Download paths	`[base]n.txt` (count), `[base]a` (payload), `[base][N].txt` (per-target lists)
User-Agent	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ... Chrome/202.0.4664.110` ^[strings.txt:18]
SMTP target	Port 25, direct MX connect to `yahoo.com` DNS records
Mutex	`efaefaef` ^[strings.txt:149]
Attachment	`Pervert.zip` containing `Pervert.scr`

Attribution

Hardcoded BTC wallet: 1NXeVuYtcVwJ1do2EUS6qJS8FQSPFabxeE ^[strings.txt:60] — distinct from siblings 17960bcb / 150e4652 (1G1zmqks1vd9V3SdxCY71Hv9C7rHBLQbCY).
Compile timestamp 2026-05-22 13:05:10 UTC is ≈ 1 hour before downloader 025f5798 (13:06 UTC) and ≈ 4 hours before the $1200 spam bot 17960bcb (17:07 UTC), suggesting a rapid build pipeline with A/B pricing.
Subject line: I FOUND NAKED IMAGES OF YOU! ^[strings.txt:148] — softer framing than the YOU PERVERT! variant.

Interesting Tidbits

Earliest May-22 build: This is the first compiled artefact in the observed cluster, predating the downloader and the $1200 spam bot. It likely represents the initial template.^[pefile.txt:34]
Price testing ($500 vs $1200): The $500 demand suggests A/B testing or geographic/campaign segmentation — same code, different monetization parameters.
Chrome 202 UA: Upgrades from the stale Chrome/96 (Nov 2021) in siblings to Chrome/202 (nonexistent version — typo or forward-dated). A minor string delta, likely automated build-variable insertion.^[strings.txt:18]
No persistence: One-shot spam launcher; no registry, scheduled task, or service installation observed.
Thread-storm unchanged: Despite the reduced ransom amount, the aggressiveness (5 000 SMTP threads) is identical to the later build, suggesting the thread count is hardcoded and not campaign-parameterized.

How To Mess With It (Homelab Replication)

For full replication guidance, see sibling report /intel/analyses/17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3.html — the build recipe is identical. The only delta to reproduce is the string content (mutate the sextortion template, change the mutex, and adjust the Chrome UA string).

Verification: Compile with MSVC 9.0, link msvcrt.lib, verify capa hits on send data via HTTP, send data via SMTP, create or open file.

Deployable Signatures

YARA rule

rule Phorpiex_Sextortion_500USD_EarlyBuild
{
    meta:
        description = "Phorpiex $500 sextortion spam bot — earliest May-22 campaign build, mutex efaefaef"
        author      = "pp-hermes"
        date        = "2026-06-07"
        hash        = "bb77ef06de83dc5e450572c04f69224c44786bda5eadc9e7a698dc4ef1445edf"
        confidence  = "high"
    strings:
        $s1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/202.0.4664.110 Safari/537.36" ascii wide
        $s2 = "http://icanhazip.com/" ascii wide
        $s3 = "MAIL FROM: %s\r\n" ascii
        $s4 = "RCPT TO: <%s>\r\n" ascii
        $s5 = "Content-type: text/plain;" ascii
        $s6 = "My Bitcoin (BTC) wallet address is: 1NXeVuYtcVwJ1do2EUS6qJS8FQSPFabxeE" ascii
        $s7 = "Pervert.scr" ascii wide
        $s8 = "EHLO %s\r\n" ascii
        $s9 = "HELO %s\r\n" ascii
        $s10 = "yahoo.com" ascii
        $s11 = "efaefaef" ascii
        $s12 = "I FOUND NAKED IMAGES OF YOU!" ascii wide
        $s13 = "All you need is $500 USD in Bitcoin (BTC), transferred to my wallet address." ascii
        $ioc1 = { 54 6D 6C 72 }           // XOR key "Tmlr"
        $ioc2 = { 65 66 61 65 66 61 65 66 } // "efaefaef"
    condition:
        uint16(0) == 0x5A4D and
        filesize > 15KB and filesize < 25KB and
        5 of ($s*) and
        any of ($ioc*)
}

Behavioral hunt query (Sigma-like)

title: Phorpiex Sextortion Spam Bot — Early Build ($500 variant)
detection:
    selection:
        - Image|endswith: '.exe'
        - CommandLine|contains:
            - 'efaefaef'
            - 'Pervert.scr'
    selection_api:
        - API Call: DeleteFileW
          Target|endswith: ':Zone.Identifier'
        - API Call: WSAStartup
    selection_network:
        - InitiatedConnection:
            DestinationPort: 25
        - InitiatedConnection:
            RemoteUrl: 'icanhazip.com'
    condition: selection_process and (selection_mutex or (selection_api and selection_network))

IOC list

Type	Value	Context
SHA-256	`bb77ef06de83dc5e450572c04f69224c44786bda5eadc9e7a698dc4ef1445edf`	Sample hash
Mutex	`efaefaef`	Single-instance check ^[strings.txt:149]
URL	`http://icanhazip.com/`	External IP check ^[strings.txt:19]
Domain	`yahoo.com`	DNS MX query target ^[strings.txt:17]
BTC wallet	`1NXeVuYtcVwJ1do2EUS6qJS8FQSPFabxeE`	Hardcoded $500 ransom demand ^[strings.txt:60]
Attachment	`Pervert.zip` / `Pervert.scr`	Social engineering lure
Subject	`I FOUND NAKED IMAGES OF YOU!`	Email subject line ^[strings.txt:148]
Temp pattern	`%TEMP%\<###><###><###>.zip`	Runtime-generated spam attachment

Behavioral fingerprint

This 18–20 KB PE32 GUI executable links against MSVCR90 and imports WININET, WS2_32, DNSAPI, SHLWAPI, and KERNEL32. On launch it sleeps 2 seconds, creates mutex efaefaef, deletes its own Zone.Identifier ADS, initializes Winsock, queries DNS MX records for yahoo.com, decodes an encrypted C2 base URL via XOR-with-"Tmlr" followed by bitwise NOT, downloads n.txt (iteration count) and a (payload image) over HTTP with a Chrome/202 user-agent, constructs a ZIP file containing the image renamed to Pervert.scr, base64-encodes the ZIP, and sends sextortion emails via direct SMTP to port 25. Each email self-spoofs the sender address, includes forged MailEnable and qmail Received headers, demands $500 USD in Bitcoin (BTC) to wallet 1NXeVuYtcVwJ1do2EUS6qJS8FQSPFabxeE, and attaches the base64-encoded ZIP as Pervert.zip. The bot spawns up to 5 000 concurrent SMTP threads per target list with 50–82 ms jitter.

Detection Signatures (capa→ATT&CK)

Technique	ID	Evidence
User Execution: Malicious File	T1204.002	Spam-distributed PE with social-engineering lure
Application Layer Protocol: Web Protocols	T1071.001	HTTP (`InternetOpenW`, `InternetReadFile`) to fetch payload and external IP ^[r2:fcn.004018d0]
Application Layer Protocol: Mail Protocols	T1071.003	Native SMTP client (`socket`, `connect`, `send`, `recv`) over port 25 ^[/intel/analyses/17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3.html]
Data Encoded: Base64	T1132.001	ZIP attachment transmitted as base64 inside MIME multipart body
Data Obfuscation: File Deletion	T1070.004	Deletes generated temp files and `Zone.Identifier` ADS after use ^[r2:main@0x00402750]
Discovery: Internet Connection Discovery	T1016	Resolves external IPv4 via `icanhazip.com` ^[strings.txt:19]
Exfiltration: Automated Exfiltration	T1020	Bulk email delivery of sextortion content to harvested addresses
Impact: Data Encrypted for Impact	T1486	Extortion demand embedded in email body (not file encryption) ^[strings.txt:38-62]

References

SHA-256 artifact: bb77ef06de83dc5e450572c04f69224c44786bda5eadc9e7a698dc4ef1445edf
Wiki entity: phorpiex
Sibling analysis: /intel/analyses/17960bcb0d7fe57fac3a286fe7e8ba9b53783fdd53a2ef1132ae4d302d2c18f3.html — $1200 variant, mutex ww88ww8w8, Chrome/96 UA
Sibling analysis: /intel/analyses/150e46523ae4a3e90ce949f15630b2f07d475d3a781188301edded1d527f03af.html — $1200 variant, mutex dd3ff3f3f
Sibling analysis: /intel/analyses/025f57988953e3d23e1657a9af5610887e57c5390a82f73b4b2b99c30eef3b70.html — thin HTTP downloader, compiled 1 hour later

Provenance

file.txt — file command output (PE32 executable)
pefile.txt — pefile PE header dump (linker/compile time, imports, sections)
strings.txt — raw ASCII/UNICODE strings (email template, BTC wallet, APIs, mutex)
rabin2-info.txt — radare2 binary metadata (compiler, ASLR, signing, timestamp)
binwalk.txt — binwalk scan (no overlay)
radare2 — level-3 analysis, pdc pseudo-C decompilation (r2 MCP)
exiftool.json — EXIFTool PE metadata
triage.json — triage classification (dropped-by-phorpiex, deep tier)
floss.txt — floss failed (CLI arg error)
capa.txt — capa failed (missing signature database)

> Analysis · bb77ef06de83_