Overview

overview

10

Static

static

1

pleg.zip

windows7-x64

1

pleg.zip

windows10-1703-x64

10

pleg.zip

windows10-2004-x64

10

Resubmissions

15-08-2023 16:13

230815-tn5swsbg58 10

15-08-2023 16:07

230815-tkykeadf8s 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pleg.zip

  • Size

    122.9MB

  • Sample

    230815-tn5swsbg58

  • MD5

    9fa65e4744953f8863f8ecd59b0043f3

  • SHA1

    7ce01b3a3f9d942fbb29c09456162a4c679e05bc

  • SHA256

    8857e1127d2d06b194a0b7767a648b1f125984fd7b575a59d328a50f498c3695

  • SHA512

    6c519ffa890391479793582e96782aeb09dbf709662b9b31a70e755e066db71716d35abe2d69881eb9712097b2514e6d99df4cbe3cf94c8d7c3aebc328199be1

  • SSDEEP

    3145728:EKlxbiwxzfmBibpn5e42h/r3w2cIDwppwDBe3oEbd7:EkIii42h/r3r1uwgZ7

Score
10/10
gh0stratmimikatzpurplefoxxorddosbotnetcryptonedownloaderpackerratrootkittrojanupxvmprotect

Malware Config

Extracted

Family

xorddos

Attributes
  • crc_polynomial

    EDB88320

Targets

    • Target

      pleg.zip

    • Size

      122.9MB

    • MD5

      9fa65e4744953f8863f8ecd59b0043f3

    • SHA1

      7ce01b3a3f9d942fbb29c09456162a4c679e05bc

    • SHA256

      8857e1127d2d06b194a0b7767a648b1f125984fd7b575a59d328a50f498c3695

    • SHA512

      6c519ffa890391479793582e96782aeb09dbf709662b9b31a70e755e066db71716d35abe2d69881eb9712097b2514e6d99df4cbe3cf94c8d7c3aebc328199be1

    • SSDEEP

      3145728:EKlxbiwxzfmBibpn5e42h/r3w2cIDwppwDBe3oEbd7:EkIii42h/r3r1uwgZ7

    Score
    10/10
    gh0stratmimikatzpurplefoxxorddosbotnetcryptonedownloaderpackerratrootkittrojanupxvmprotect

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

      botnetdownloaderxorddos

    • XorDDoS payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • mimikatz is an open source tool to dump credentials on Windows

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks