General

  • Target

    5a046650824cef1294192a002110bf4bcb7c29570d9b7ccfbb35ca6fc4d01357

  • Size

    3.0MB

  • Sample

    230830-yehn8ahf5y

  • MD5

    cb55d677cabdbdfc732841e861b50abb

  • SHA1

    014d9bc40d5c5dccbdf7928514b597eeb3bbe894

  • SHA256

    5a046650824cef1294192a002110bf4bcb7c29570d9b7ccfbb35ca6fc4d01357

  • SHA512

    f0c08cb93c3c9268ef81b610923ef74ce2d162b89f7f734088b288e8fa45a4e200b5fe48b13f976d0a9750c76499ada2f8a16634fe7f53e299787e80a70a16b2

  • SSDEEP

    6144:q46iVZNa86sqSp5YEi68dBjYkOhDgAf3AQH0Qsay50v76GqY820C:q45KST2vYkOhDX0Zz5S768l

Malware Config

Targets

    • Target

      5a046650824cef1294192a002110bf4bcb7c29570d9b7ccfbb35ca6fc4d01357

    • Size

      3.0MB

    • MD5

      cb55d677cabdbdfc732841e861b50abb

    • SHA1

      014d9bc40d5c5dccbdf7928514b597eeb3bbe894

    • SHA256

      5a046650824cef1294192a002110bf4bcb7c29570d9b7ccfbb35ca6fc4d01357

    • SHA512

      f0c08cb93c3c9268ef81b610923ef74ce2d162b89f7f734088b288e8fa45a4e200b5fe48b13f976d0a9750c76499ada2f8a16634fe7f53e299787e80a70a16b2

    • SSDEEP

      6144:q46iVZNa86sqSp5YEi68dBjYkOhDgAf3AQH0Qsay50v76GqY820C:q45KST2vYkOhDX0Zz5S768l

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks