General
-
Target
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050
-
Size
2MB
-
Sample
221227-eelakahd6v
-
MD5
54da7310e3ebd8f05fa9b91977d1f00d
-
SHA1
628ed25a7d610df5bae3d79ad7ba17845e6f76f3
-
SHA256
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050
-
SHA512
6ccf3cc084f7f2b5b53d539368900f75f8768f251f238760224e4d8e9b25d450b5ac9a220b1eedbc8d5fd6c6267541f51c875108efe490c8a3f14ed137d435e6
-
SSDEEP
49152:icFdPgoYUlOeODCRL1QU5/soxzl+Es3wSF9:17UiJQNo1AEs3w
Malware Config
Targets
-
-
Target
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050
-
Size
2MB
-
MD5
54da7310e3ebd8f05fa9b91977d1f00d
-
SHA1
628ed25a7d610df5bae3d79ad7ba17845e6f76f3
-
SHA256
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050
-
SHA512
6ccf3cc084f7f2b5b53d539368900f75f8768f251f238760224e4d8e9b25d450b5ac9a220b1eedbc8d5fd6c6267541f51c875108efe490c8a3f14ed137d435e6
-
SSDEEP
49152:icFdPgoYUlOeODCRL1QU5/soxzl+Es3wSF9:17UiJQNo1AEs3w
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation