General
-
Target
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90
-
Size
56KB
-
Sample
221026-2r7ewshfgp
-
MD5
2c72f3642a2b4e17e8f54d4a8782c7f5
-
SHA1
55e76b2348a1affccc66df9389aae8b5d39d6c03
-
SHA256
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90
-
SHA512
739bcf49f3c5250baaffe20d175e351192d612ef4f1774b71727529b425d809f2fcc2e1b7cce5124baebcd8979b1c599a7d6017ec6aaca086aeca57ee5004000
-
SSDEEP
768:ITlH3i10e6PQ5WKwl0JRGdGo3DhSZhmE2fI8+ZNX:UlHy1bsKwqJGGoGhmpfIfN
Malware Config
Targets
-
-
Target
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90
-
Size
56KB
-
MD5
2c72f3642a2b4e17e8f54d4a8782c7f5
-
SHA1
55e76b2348a1affccc66df9389aae8b5d39d6c03
-
SHA256
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90
-
SHA512
739bcf49f3c5250baaffe20d175e351192d612ef4f1774b71727529b425d809f2fcc2e1b7cce5124baebcd8979b1c599a7d6017ec6aaca086aeca57ee5004000
-
SSDEEP
768:ITlH3i10e6PQ5WKwl0JRGdGo3DhSZhmE2fI8+ZNX:UlHy1bsKwqJGGoGhmpfIfN
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
UAC bypass
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation