Phorpiex - Downloader Delivering Ransomware
Jan. 29, 2025, 1:32 p.m.
Description
The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analysis covers the infection flow, phishing emails, and technical details of different Phorpiex variants. Key features include URL cache deletion, library obfuscation, indicator removal, and persistence mechanisms. The report also provides a comparative analysis of LockBit, GandCrab, and TWIZT downloader variants, along with IOCs and MITRE ATT&CK mapping.
Tags
Date
- Created: Jan. 29, 2025, 12:58 p.m.
- Published: Jan. 29, 2025, 12:58 p.m.
- Modified: Jan. 29, 2025, 1:32 p.m.
Indicators
- 5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8
- a861d931cbeb1541193c8707a7114e21daf4ad6d45099427b99a9d0982d976ae
- 05ca9f97a27b675d24edf621b716159ddebff4f16f70b15b2ca68fc7203308b7
- c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4
- 263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb
- 01cd4320fa28bc47325ccbbce573ed5c5356008ab0dd1f450017e042cb631239
- 193.233.132.177
- http://twizt.net/installed
- http://twizt.net
- http://193.233.132.177/lbbb.exe
- http://twizt.net/Installed
- ebe6941ee8a10c14dc933ae37a0f43fc@gsd.com
- jenny@gsd.com
- twizt.net
Attack Patterns
- TWIZT
- Phorpiex
- Phorpiex
Additional Informations
- Wholesales
- Consumer Services
- Aviation
- Professional Services
- Construction
- Retail
- Technology
- Energy
- Legal
- Defense
- Transportation
- Logistics
- Finance
- Manufacturing