General
-
Target
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
-
Size
460KB
-
Sample
221219-yrgyfsbb2t
-
MD5
3971006fbc82286597136e9104621b6f
-
SHA1
e26a94ad7b28be42c5717846d07d08b3dfb8357e
-
SHA256
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
-
SHA512
1a643106df2fc60be097d87d2a066c1d3e36241948679e5ad192585ede05a8ec60d073fc00d9b558d8cc506d95eae02b864dbe1a67678c7c30b4f4b773d0c68f
-
SSDEEP
6144:QYrOnQRCjKoIlzTop+q1nkCHE9hGBnVHOZ5mLwRHG1dlV2wQL6tm/mdIp5b+:3X0KoIl3S+q+dGZonYwRHGzyLnp5i
Malware Config
Targets
-
-
Target
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
-
Size
460KB
-
MD5
3971006fbc82286597136e9104621b6f
-
SHA1
e26a94ad7b28be42c5717846d07d08b3dfb8357e
-
SHA256
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
-
SHA512
1a643106df2fc60be097d87d2a066c1d3e36241948679e5ad192585ede05a8ec60d073fc00d9b558d8cc506d95eae02b864dbe1a67678c7c30b4f4b773d0c68f
-
SSDEEP
6144:QYrOnQRCjKoIlzTop+q1nkCHE9hGBnVHOZ5mLwRHG1dlV2wQL6tm/mdIp5b+:3X0KoIl3S+q+dGZonYwRHGzyLnp5i
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation