General
-
Target
2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a
-
Size
24KB
-
Sample
221115-dherhsef83
-
MD5
046fb6d83046827da18086aa6ac523aa
-
SHA1
945ceb168b4b5f207aa9e516584c32de29bb650c
-
SHA256
2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a
-
SHA512
3c9477c45f95b7815729d7e7ced5427e176d929d8f31f163de5b502e9189ddd5d07a88d6b3b9323a99898672587ba7b071dd8f3691690191f7a4907f26b170b3
-
SSDEEP
192:8FES6pYk/gvPNJv+mv+kAUoynYlLvJpNNwD1iT9fF73At4EaQ9r:8v73NvViTkaQl
Malware Config
Targets
-
-
Target
2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a
-
Size
24KB
-
MD5
046fb6d83046827da18086aa6ac523aa
-
SHA1
945ceb168b4b5f207aa9e516584c32de29bb650c
-
SHA256
2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a
-
SHA512
3c9477c45f95b7815729d7e7ced5427e176d929d8f31f163de5b502e9189ddd5d07a88d6b3b9323a99898672587ba7b071dd8f3691690191f7a4907f26b170b3
-
SSDEEP
192:8FES6pYk/gvPNJv+mv+kAUoynYlLvJpNNwD1iT9fF73At4EaQ9r:8v73NvViTkaQl
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
UAC bypass
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation