General
-
Target
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589
-
Size
1MB
-
Sample
221205-ypbcwsbc45
-
MD5
de6e54980d24a1bb736104e73f477244
-
SHA1
0024bed717c493f30a3d9901a71e049c4c89e0b3
-
SHA256
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589
-
SHA512
ecb5f424834527cb66cdee34811b66840e4f3e9846434950a2de0273cc96cb61dd414ced6970ecd81c04c24fb160a57c85af4cfe4d76c6ed5483b6a4f5333151
-
SSDEEP
49152:FxCIL3egIrU3Vu98kE98kICoqg3Or5Qm:FxCIL3eg+U3k98kE98k2J3Oy
Malware Config
Targets
-
-
Target
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589
-
Size
1MB
-
MD5
de6e54980d24a1bb736104e73f477244
-
SHA1
0024bed717c493f30a3d9901a71e049c4c89e0b3
-
SHA256
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589
-
SHA512
ecb5f424834527cb66cdee34811b66840e4f3e9846434950a2de0273cc96cb61dd414ced6970ecd81c04c24fb160a57c85af4cfe4d76c6ed5483b6a4f5333151
-
SSDEEP
49152:FxCIL3egIrU3Vu98kE98kICoqg3Or5Qm:FxCIL3eg+U3k98kE98k2J3Oy
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation