General

  • Target

    dc49a5a5a4c7a7f6ee21f7dac1c12b4f4010f8d9a7a84a101656b5a3fc16234c

  • Size

    1.6MB

  • Sample

    230828-j1jfbabb2s

  • MD5

    b73ce676ff2cd54004c2f07722cdaaee

  • SHA1

    f31307dd6232a3e93e4899d5f85a979b9673ba4d

  • SHA256

    dc49a5a5a4c7a7f6ee21f7dac1c12b4f4010f8d9a7a84a101656b5a3fc16234c

  • SHA512

    726c3481a332208529a09c45bda23a68f4d46bb4424b3b4117b70648a7b3d3cf931f1882a0c4aacba337193ca5af57444317a64664e46ef75edde40b00090332

  • SSDEEP

    24576:hZzl4MJIHREqYzuk/CEOBRltT5agt+1seoB+L1EydiRZDVHKdFUMmula1B:hZxPix+TO3+1GBGCydiRZRHkSolar

Malware Config

Targets

    • Target

      dc49a5a5a4c7a7f6ee21f7dac1c12b4f4010f8d9a7a84a101656b5a3fc16234c

    • Size

      1.6MB

    • MD5

      b73ce676ff2cd54004c2f07722cdaaee

    • SHA1

      f31307dd6232a3e93e4899d5f85a979b9673ba4d

    • SHA256

      dc49a5a5a4c7a7f6ee21f7dac1c12b4f4010f8d9a7a84a101656b5a3fc16234c

    • SHA512

      726c3481a332208529a09c45bda23a68f4d46bb4424b3b4117b70648a7b3d3cf931f1882a0c4aacba337193ca5af57444317a64664e46ef75edde40b00090332

    • SSDEEP

      24576:hZzl4MJIHREqYzuk/CEOBRltT5agt+1seoB+L1EydiRZDVHKdFUMmula1B:hZxPix+TO3+1GBGCydiRZRHkSolar

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Deletes itself

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks