General

  • Target

    b040c6ebe2747d444f6a37252aad980d33d932651866624695fc8699985e1004

  • Size

    2.3MB

  • Sample

    230823-z49pnsgh91

  • MD5

    25b43f92f8eb1d1b10400a12f1dccf6a

  • SHA1

    8e1d40f6b8c803fb2c18170ca861a467923e74f4

  • SHA256

    b040c6ebe2747d444f6a37252aad980d33d932651866624695fc8699985e1004

  • SHA512

    763c14942e0f2ee4ef25d73c76f906a395ef33b30b5f640ee5cd377737d84c7fc3bdf6705c41025e1d3584aac66ce4cd8a14af72781c824c538ca52b4220858d

  • SSDEEP

    49152:Hr+wimbwXlPHS76Nxx+/46esFrrCHNQP2uVOYM/dpWBW:Hr+wimcVy7F/fTrrCHmP2qOr/dpWBW

Malware Config

Targets

    • Target

      b040c6ebe2747d444f6a37252aad980d33d932651866624695fc8699985e1004

    • Size

      2.3MB

    • MD5

      25b43f92f8eb1d1b10400a12f1dccf6a

    • SHA1

      8e1d40f6b8c803fb2c18170ca861a467923e74f4

    • SHA256

      b040c6ebe2747d444f6a37252aad980d33d932651866624695fc8699985e1004

    • SHA512

      763c14942e0f2ee4ef25d73c76f906a395ef33b30b5f640ee5cd377737d84c7fc3bdf6705c41025e1d3584aac66ce4cd8a14af72781c824c538ca52b4220858d

    • SSDEEP

      49152:Hr+wimbwXlPHS76Nxx+/46esFrrCHNQP2uVOYM/dpWBW:Hr+wimcVy7F/fTrrCHmP2qOr/dpWBW

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks