General
-
Target
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85
-
Size
2MB
-
Sample
221227-e46b2ahd81
-
MD5
5630cbc8bab9ae8c880016900504284a
-
SHA1
ad94ae9fbf49ac02793078030097632349eebfa8
-
SHA256
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85
-
SHA512
3afbc54695dd186c39d28189450acfddd1ac80bf51e2e58a4e88dc6c294dea1bfa483edc4c21d60bf08f04ad7ad4df11b09be856d34389b227bd3a9e5c15bb52
-
SSDEEP
49152:NvyXDbhPJiugp5H3fMOMdw9bjkxiIiFYh/oc51IXa+UI5moW:NvuVQFp5PMOzQyFYh/ZnIhv5mo
Malware Config
Targets
-
-
Target
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85
-
Size
2MB
-
MD5
5630cbc8bab9ae8c880016900504284a
-
SHA1
ad94ae9fbf49ac02793078030097632349eebfa8
-
SHA256
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85
-
SHA512
3afbc54695dd186c39d28189450acfddd1ac80bf51e2e58a4e88dc6c294dea1bfa483edc4c21d60bf08f04ad7ad4df11b09be856d34389b227bd3a9e5c15bb52
-
SSDEEP
49152:NvyXDbhPJiugp5H3fMOMdw9bjkxiIiFYh/oc51IXa+UI5moW:NvuVQFp5PMOzQyFYh/ZnIhv5mo
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation