Overview

overview

10

Static

static

892c3026cd...e2.exe

windows7-x64

10

892c3026cd...e2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2

  • Size

    36KB

  • Sample

    221107-twn54sfgb4

  • MD5

    13f58c8322f1115e391ca4193d843107

  • SHA1

    1e5e9780c26833ee9fb7707442291ddf4dcb2a9b

  • SHA256

    892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2

  • SHA512

    1e06e1ec7cf3f2776b556034dadc7bec6334c5203c16fcaa8ddb5ce7489bf83baf9399078e9d548ba2ca63ee3d0317fddc2f6281a2acd81c239f57f20bf67e91

  • SSDEEP

    384:v9OJ84RJ/QPkZ+VBvKdMAUoHLXZW7O/daeA0FRh:1OJVDIPo+VV+MAhc0daK/

Score
10/10
gh0stratpurplefoxevasionratrootkittrojanupx

Malware Config

Targets

    • Target

      892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2

    • Size

      36KB

    • MD5

      13f58c8322f1115e391ca4193d843107

    • SHA1

      1e5e9780c26833ee9fb7707442291ddf4dcb2a9b

    • SHA256

      892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2

    • SHA512

      1e06e1ec7cf3f2776b556034dadc7bec6334c5203c16fcaa8ddb5ce7489bf83baf9399078e9d548ba2ca63ee3d0317fddc2f6281a2acd81c239f57f20bf67e91

    • SSDEEP

      384:v9OJ84RJ/QPkZ+VBvKdMAUoHLXZW7O/daeA0FRh:1OJVDIPo+VV+MAhc0daK/

    Score
    10/10
    evasiontrojanupxgh0stratpurplefoxratrootkit

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • UAC bypass

      evasiontrojan

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                    Tasks