General

  • Target

    03baf4575570630ffaa93b3ef1c1bd4040dce0437a6588746b684f3c6387e8c7

  • Size

    1.3MB

  • Sample

    230823-3nfy7shh6x

  • MD5

    64628a8f10379519abec9c1fbf47082d

  • SHA1

    759e66699dbb90378ac1b95d4ea66037a984e01e

  • SHA256

    03baf4575570630ffaa93b3ef1c1bd4040dce0437a6588746b684f3c6387e8c7

  • SHA512

    6bfeb44c27be460ca0b709b89736975505ebeb4cb8b44bfdba92fb89e9c995032aca0284b1e6aa620f0cf8e3cd955898b9bdc691daa2e6b9cc7a089421d38cdc

  • SSDEEP

    24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNj:QHPkVOBTK

Malware Config

Targets

    • Target

      03baf4575570630ffaa93b3ef1c1bd4040dce0437a6588746b684f3c6387e8c7

    • Size

      1.3MB

    • MD5

      64628a8f10379519abec9c1fbf47082d

    • SHA1

      759e66699dbb90378ac1b95d4ea66037a984e01e

    • SHA256

      03baf4575570630ffaa93b3ef1c1bd4040dce0437a6588746b684f3c6387e8c7

    • SHA512

      6bfeb44c27be460ca0b709b89736975505ebeb4cb8b44bfdba92fb89e9c995032aca0284b1e6aa620f0cf8e3cd955898b9bdc691daa2e6b9cc7a089421d38cdc

    • SSDEEP

      24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNj:QHPkVOBTK

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks