General
-
Target
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
-
Size
1MB
-
Sample
230109-k9df4adf65
-
MD5
786e1083e402c760a01f5bbb3a30394c
-
SHA1
9209554639aacf9618ca5984fec28099762df7ed
-
SHA256
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
-
SHA512
c6bb4e7b16d72215833f61bae5faf1e027c5067f173d6833749a0c64811f94ec3ec672652aa864ecc947508b3006cb7cd4821281b0fe882d5cb0f8c7a7015474
-
SSDEEP
24576:+NfyIrXxi199zh0eROY2ZvVSlVFwxInPkOgWhBMDN:+Nt4FYY2puFwxIsOaN
Malware Config
Targets
-
-
Target
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
-
Size
1MB
-
MD5
786e1083e402c760a01f5bbb3a30394c
-
SHA1
9209554639aacf9618ca5984fec28099762df7ed
-
SHA256
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
-
SHA512
c6bb4e7b16d72215833f61bae5faf1e027c5067f173d6833749a0c64811f94ec3ec672652aa864ecc947508b3006cb7cd4821281b0fe882d5cb0f8c7a7015474
-
SSDEEP
24576:+NfyIrXxi199zh0eROY2ZvVSlVFwxInPkOgWhBMDN:+Nt4FYY2puFwxIsOaN
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation