General
-
Target
2146722a3a95cd3f2eca28acc9412f1a2f0eebdcdb0e4773bd2de9c222f74767
-
Size
444KB
-
Sample
221207-1shmgsgc86
-
MD5
a813ee9e9b72e684da714eb2a1ccdf1b
-
SHA1
24bafb9f757952ab0475ffc97b3cca44356a2acf
-
SHA256
2146722a3a95cd3f2eca28acc9412f1a2f0eebdcdb0e4773bd2de9c222f74767
-
SHA512
92e0a4845e2067df791e2db0d7e30c2a5dec1ba164f33064a7719208dc4ca264d3439393d2e98edd7b240a0fa28132bf6bacf5aa5bf216c8abccf35e1a7fe179
-
SSDEEP
6144:X6KdgPUVY1AeI1up6VPrwhWTmH793czdwjzysjjKk18Hame:XJdC1AeIKsshWTmZMzdwNjjK+
Malware Config
Targets
-
-
Target
2146722a3a95cd3f2eca28acc9412f1a2f0eebdcdb0e4773bd2de9c222f74767
-
Size
444KB
-
MD5
a813ee9e9b72e684da714eb2a1ccdf1b
-
SHA1
24bafb9f757952ab0475ffc97b3cca44356a2acf
-
SHA256
2146722a3a95cd3f2eca28acc9412f1a2f0eebdcdb0e4773bd2de9c222f74767
-
SHA512
92e0a4845e2067df791e2db0d7e30c2a5dec1ba164f33064a7719208dc4ca264d3439393d2e98edd7b240a0fa28132bf6bacf5aa5bf216c8abccf35e1a7fe179
-
SSDEEP
6144:X6KdgPUVY1AeI1up6VPrwhWTmH793czdwjzysjjKk18Hame:XJdC1AeIKsshWTmZMzdwNjjK+
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation