General
-
Target
409102da140eade153f71bc17783339f6abf846400330fad58542685918f296f
-
Size
292KB
-
Sample
221023-b7a4hsfggr
-
MD5
97f704560dcff46dce993bcb20c4b586
-
SHA1
eedba8ba1301d602bf7c26b7f7b7c5168b6d7979
-
SHA256
409102da140eade153f71bc17783339f6abf846400330fad58542685918f296f
-
SHA512
3f32e599196079a12110ebe9e7617f293d2bb5f63714e192519814651082a3f019077147208c8e7cfa6d458465a2cd65d515ccc5366fbe6953f5f625f542d36c
-
SSDEEP
6144:rSs33LF1A1hi83SM/oNEnmb7GRM9TkepWGoLL:J51Mi83ho+nXM9T
Malware Config
Targets
-
-
Target
409102da140eade153f71bc17783339f6abf846400330fad58542685918f296f
-
Size
292KB
-
MD5
97f704560dcff46dce993bcb20c4b586
-
SHA1
eedba8ba1301d602bf7c26b7f7b7c5168b6d7979
-
SHA256
409102da140eade153f71bc17783339f6abf846400330fad58542685918f296f
-
SHA512
3f32e599196079a12110ebe9e7617f293d2bb5f63714e192519814651082a3f019077147208c8e7cfa6d458465a2cd65d515ccc5366fbe6953f5f625f542d36c
-
SSDEEP
6144:rSs33LF1A1hi83SM/oNEnmb7GRM9TkepWGoLL:J51Mi83ho+nXM9T
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
UAC bypass
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation