General
-
Target
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c
-
Size
4MB
-
Sample
221127-v15t4aef37
-
MD5
fb69931a9d6a62ef32fc98b6131103cc
-
SHA1
376f89c2b2ef1a8870845e0bd0b21ea80803365b
-
SHA256
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c
-
SHA512
a2add386060428908a93af759610095f90bc136242248a63a54846f0253e8ee1eea491d6e7b25a13714f1eb8509620913e167da61b30b9e05592275624497851
-
SSDEEP
98304:un4FkxwWUGoRgnQxFa4fdyqMTRd43GJb03+5cJsCzc:u4FkbUGoRZxF/yFMWJ0/zc
Malware Config
Targets
-
-
Target
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c
-
Size
4MB
-
MD5
fb69931a9d6a62ef32fc98b6131103cc
-
SHA1
376f89c2b2ef1a8870845e0bd0b21ea80803365b
-
SHA256
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c
-
SHA512
a2add386060428908a93af759610095f90bc136242248a63a54846f0253e8ee1eea491d6e7b25a13714f1eb8509620913e167da61b30b9e05592275624497851
-
SSDEEP
98304:un4FkxwWUGoRgnQxFa4fdyqMTRd43GJb03+5cJsCzc:u4FkbUGoRZxF/yFMWJ0/zc
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Sets service image path in registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Creates a Windows Service
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation