General

  • Target

    Server.exe

  • Size

    396KB

  • Sample

    220930-3zkrjagben

  • MD5

    5efd6f7577970a139e6c496353a4d440

  • SHA1

    9eb248739c9ee37463dc7894556dbab953e830d6

  • SHA256

    3cb2fd26e550c2210a94d899a48ecd53216457e9c33f4a623bb3bb63263062a8

  • SHA512

    d46d560854e594a7426075b482d39b728d8ad02907ada85fa24acf63903e5ed012d975698cba975d3247174c6be7f7686014a66d5f8df326eeef54997cb20761

  • SSDEEP

    12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2a+:s9Dbg6lV9C2JOBUIc12a+

Malware Config

Targets

    • Target

      Server.exe

    • Size

      396KB

    • MD5

      5efd6f7577970a139e6c496353a4d440

    • SHA1

      9eb248739c9ee37463dc7894556dbab953e830d6

    • SHA256

      3cb2fd26e550c2210a94d899a48ecd53216457e9c33f4a623bb3bb63263062a8

    • SHA512

      d46d560854e594a7426075b482d39b728d8ad02907ada85fa24acf63903e5ed012d975698cba975d3247174c6be7f7686014a66d5f8df326eeef54997cb20761

    • SSDEEP

      12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2a+:s9Dbg6lV9C2JOBUIc12a+

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks