General

  • Target

    360a3a238d566bfd28aa8424a9ce5ae48f3dd5cda2f056ee6fe77841b2e7b5a3

  • Size

    7.9MB

  • Sample

    230823-nf4yqsbg39

  • MD5

    b760286dc3b6e9d2fead63bc0fca9635

  • SHA1

    ecd8933907ec834d53487e8233386ce980b7d3c4

  • SHA256

    360a3a238d566bfd28aa8424a9ce5ae48f3dd5cda2f056ee6fe77841b2e7b5a3

  • SHA512

    0ab9bc937f65ebe5d821d9e9ba2356bfd55badd4415c4d190b63620a1d265b092304cd73d5270d5c30e4e258e21dae37c7341b5f30473cbc8c099000c153ef61

  • SSDEEP

    98304:iws2ANnKXOaeOgmhnJ8C38yO/lnxHReeczJZ5P4B18frP3wbzWFimaI7dlZJZ:4KXbeO78vyknxxeeWgbzWFimaI7dl

Malware Config

Targets

    • Target

      360a3a238d566bfd28aa8424a9ce5ae48f3dd5cda2f056ee6fe77841b2e7b5a3

    • Size

      7.9MB

    • MD5

      b760286dc3b6e9d2fead63bc0fca9635

    • SHA1

      ecd8933907ec834d53487e8233386ce980b7d3c4

    • SHA256

      360a3a238d566bfd28aa8424a9ce5ae48f3dd5cda2f056ee6fe77841b2e7b5a3

    • SHA512

      0ab9bc937f65ebe5d821d9e9ba2356bfd55badd4415c4d190b63620a1d265b092304cd73d5270d5c30e4e258e21dae37c7341b5f30473cbc8c099000c153ef61

    • SSDEEP

      98304:iws2ANnKXOaeOgmhnJ8C38yO/lnxHReeczJZ5P4B18frP3wbzWFimaI7dlZJZ:4KXbeO78vyknxxeeWgbzWFimaI7dl

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks