General

  • Target

    874fc4777a84a8be58a1e18cb92046c7f527e421c20766b9e0432093a92e0f56

  • Size

    2.2MB

  • Sample

    230823-1ln6pafg35

  • MD5

    0bd060ae1648ac25479bf282b4383a36

  • SHA1

    81db77138d6fc7d59b9e2d21951574f5ca634dad

  • SHA256

    874fc4777a84a8be58a1e18cb92046c7f527e421c20766b9e0432093a92e0f56

  • SHA512

    e9d1624e72ba747412380aeb4e4407c7ad477bd03cae08122d56e2a905fece65b433218352fd512389c3e2088baf1735364baae251fde4a39c62788bd1ec49f6

  • SSDEEP

    24576:S+ocyj8z3I//bQ0FvyqRORo2zK+j/HsXw5w4ZRrXRXfsq6BKoIIppx7Z6k:SpjD/bR6hRTzziw5wSRr6vIexb

Malware Config

Targets

    • Target

      874fc4777a84a8be58a1e18cb92046c7f527e421c20766b9e0432093a92e0f56

    • Size

      2.2MB

    • MD5

      0bd060ae1648ac25479bf282b4383a36

    • SHA1

      81db77138d6fc7d59b9e2d21951574f5ca634dad

    • SHA256

      874fc4777a84a8be58a1e18cb92046c7f527e421c20766b9e0432093a92e0f56

    • SHA512

      e9d1624e72ba747412380aeb4e4407c7ad477bd03cae08122d56e2a905fece65b433218352fd512389c3e2088baf1735364baae251fde4a39c62788bd1ec49f6

    • SSDEEP

      24576:S+ocyj8z3I//bQ0FvyqRORo2zK+j/HsXw5w4ZRrXRXfsq6BKoIIppx7Z6k:SpjD/bR6hRTzziw5wSRr6vIexb

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks