General

  • Target

    tmp

  • Size

    375KB

  • Sample

    221230-y65casge36

  • MD5

    ae8feb1dadf827be9a522b4159f3ac9a

  • SHA1

    b93774b6d58ccbe20aaf95d22636502a5eb9f762

  • SHA256

    0108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0

  • SHA512

    ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2

  • SSDEEP

    6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8Nh/5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyUd

Malware Config

Targets

    • Target

      tmp

    • Size

      375KB

    • MD5

      ae8feb1dadf827be9a522b4159f3ac9a

    • SHA1

      b93774b6d58ccbe20aaf95d22636502a5eb9f762

    • SHA256

      0108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0

    • SHA512

      ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2

    • SSDEEP

      6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8Nh/5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyUd

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks