General
-
Target
3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95
-
Size
416KB
-
Sample
221104-1hp9ksdbfn
-
MD5
dfc7f23c614f09dbd3c51b91177ec88b
-
SHA1
0d3b03a486fa37e0fddd7e59c5a329869c663633
-
SHA256
3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95
-
SHA512
25e3d55463d672c18856598c9735e6d6b22152c2123769e1ebc8d13a6acc5843ff745ec1815d9f982b0b75f3036044baac326c8552a9a946eb787b3c4d8e3a7d
-
SSDEEP
6144:REg2/FmkfKc+Mz6aEctnbbWj/VI1N5kvsWT6kRXAfAarxGEEXXUOCwKHmp4N9:OtUsz6aEcV6rVI/HWTxRXAoi647
Malware Config
Targets
-
-
Target
3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95
-
Size
416KB
-
MD5
dfc7f23c614f09dbd3c51b91177ec88b
-
SHA1
0d3b03a486fa37e0fddd7e59c5a329869c663633
-
SHA256
3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95
-
SHA512
25e3d55463d672c18856598c9735e6d6b22152c2123769e1ebc8d13a6acc5843ff745ec1815d9f982b0b75f3036044baac326c8552a9a946eb787b3c4d8e3a7d
-
SSDEEP
6144:REg2/FmkfKc+Mz6aEctnbbWj/VI1N5kvsWT6kRXAfAarxGEEXXUOCwKHmp4N9:OtUsz6aEcV6rVI/HWTxRXAoi647
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation