Overview

overview

10

Static

static

点击安...34.exe

windows7-x64

3

点击安...34.exe

windows10-2004-x64

3

英文客...4d.exe

windows7-x64

8

英文客...4d.exe

windows10-2004-x64

8

话术大全@88.exe

windows7-x64

4

话术大全@88.exe

windows10-2004-x64

1

资金盘...@.exe

windows7-x64

8

资金盘...@.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5f2d2046c126e49e308b4e452aabf04b6201edcf6a6bcdb9e0a927110434196c

  • Size

    785KB

  • Sample

    221001-qdfjgahafn

  • MD5

    0a18c645928f3dbc3e1237b3c52e5cf5

  • SHA1

    6bc775b711cab91897b08647a4b130a19774f6f6

  • SHA256

    5f2d2046c126e49e308b4e452aabf04b6201edcf6a6bcdb9e0a927110434196c

  • SHA512

    9fd361727b8f57d3c590a4112cc2bab6974c3b4f54bac022f69f24c52036832a2f63e1d4141a29ff04261ca0d71a8fca302c3c66fb120eb144ddfbb7c2ae2cff

  • SSDEEP

    24576:8X3xV8SlG8AxT4/Kp2s5SyZUk6zRVnghcUUP+Rket:8n4EG16KpIUgPGF

Score
10/10
gh0stratpurplefoxratrootkittrojanupx

Malware Config

Targets

    • Target

      点击安装(飞机)简体中文语言包_v34.exe

    • Size

      111KB

    • MD5

      cefc0e9cacf1aaa6fd238739d2c73778

    • SHA1

      79d801453e0985157c15667b7c5b4dccee202c01

    • SHA256

      1e893be559a9628d4fc10ba009ecec9640f9b01db2162d7cf003a1ce10b247cd

    • SHA512

      9107d86a951a055cf558303a95bb565d867ff05d6d92dc3fc68489758ab87e6f514370361f14763acd81ab31f3dba099c5da443189e784b8a0c5355a74c2b275

    • SSDEEP

      1536:u5nBnqbxKJ38W2wUa0STkuWBzsIE9guaj6qxGfSVR1hSGYH+8VJ3uc9dlSfjgfsM:wJ3nnU1zLESz6GxVR1h6+8GUU2jisj

    Score
    3/10
    behavioral1behavioral2

    • Target

      英文客户基本聊天用语4d.exe

    • Size

      288KB

    • MD5

      6dd50e46cde774f81c2d9c2f1dd53286

    • SHA1

      ed289db14f1ed2b49befbbde6d50d577c9f00270

    • SHA256

      827a9591ae0e0c65c759b2f38aeea2d112bedf1317e2f577d4c4ff800f3468f1

    • SHA512

      a759f889023cd730f6def0da96ff7eabf5c55565aff417327a96120dd52891ff771fabbc2fd70e298ab41cb4f84e1d63cbff941f02f2febc442265f841c39373

    • SSDEEP

      6144:VFSaxPyF+czKRd6/fTZO4NHbjz7/7ssEPc:VF7xPe+c+ROTTNHblEPc

    Score
    8/10

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      话术大全@88.exe

    • Size

      1.6MB

    • MD5

      1fcb6b9c98d28336e9f904be5cad1aa6

    • SHA1

      5ca27208c8ef301799298db806c627eb8fdcd198

    • SHA256

      828e3e4b918f3b8fa8a25d27e5f8bdec593238664f16320cb1bc13f1c3191d11

    • SHA512

      ae572425657ed0843bee7e7d75bf4be521d3999f0e37d9bc95726255e6b1c5b664cd17fd3c59d2d7163c942e43a3c2b47ae29061fe5d143d680435ee378649a4

    • SSDEEP

      24576:KPQvhAxiAs+5mXS+/JnydHWuyqa9nhC58Kfn4X:KPQZyZ5mXS+/Jny1uhQG

    Score
    4/10
    behavioral5behavioral6

    • Target

      资金盘切客前的裂变话术@.exe

    • Size

      560KB

    • MD5

      70af047bd1f94a5a73629ef27bde5fab

    • SHA1

      61caa47e65ed8a7c68863b608fe3fb71eb85e43f

    • SHA256

      e88911e434654723cc1d9a1b248f9c67fe9b96a2259502822ab5634bd7ea184c

    • SHA512

      d92d1b9bccd5e0b29b419200a7a29e497240281e554665ec0cf0b1929094615e7f1ffd36144fc78ba7299e1f3d3787e796c0eedf95cb89a022832a875449975e

    • SSDEEP

      12288:Qm/xg6QD7AMZ/9WY+iuMMHGHzlkdaaRwz5GQMq+y2vXqsyOtCriP8Wh:hKj/9WYzuMuGTlHcQl2vry+Crih

    Score
    10/10
    upxgh0stratpurplefoxratrootkittrojan

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

8
T1082

Query Registry

5
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks