General

  • Target

    c709b9cd6eb4bf4fafe017cb64eba2fbcd1c74d8159531faca38af0617624d62

  • Size

    1.6MB

  • Sample

    221110-1gtklsgcer

  • MD5

    631910bc9f749e6deb466a7732e96424

  • SHA1

    eae8cba96da0c66ce0e145d0d93efa2ae46ea08c

  • SHA256

    c709b9cd6eb4bf4fafe017cb64eba2fbcd1c74d8159531faca38af0617624d62

  • SHA512

    2965b3b52b17b67ea81ea1f784d0a45f394a4d300d7308bd5855b76672d99b9c13fdb6400ba4b6777f628150c6c4c96a668b191c9b8ce7d41a95604c1db58b4b

  • SSDEEP

    24576:yAMvlk4plaBmq4lUEWAt6JDX8yClGe5Ali8cQv:WOOlQmR9mDsyClGeqlcQv

Malware Config

Targets

    • Target

      c709b9cd6eb4bf4fafe017cb64eba2fbcd1c74d8159531faca38af0617624d62

    • Size

      1.6MB

    • MD5

      631910bc9f749e6deb466a7732e96424

    • SHA1

      eae8cba96da0c66ce0e145d0d93efa2ae46ea08c

    • SHA256

      c709b9cd6eb4bf4fafe017cb64eba2fbcd1c74d8159531faca38af0617624d62

    • SHA512

      2965b3b52b17b67ea81ea1f784d0a45f394a4d300d7308bd5855b76672d99b9c13fdb6400ba4b6777f628150c6c4c96a668b191c9b8ce7d41a95604c1db58b4b

    • SSDEEP

      24576:yAMvlk4plaBmq4lUEWAt6JDX8yClGe5Ali8cQv:WOOlQmR9mDsyClGeqlcQv

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks