General

  • Target

    5d8f837b81f47ce1733a322b5c5d46bf7f710b833505dd26beae73e22dda2a77

  • Size

    1.3MB

  • Sample

    230901-cv3hnsca67

  • MD5

    8a2dbefec715b475c092ef1aeea015c3

  • SHA1

    49a324ecdcf7f0d0bc526dcb5cc04f47e427f296

  • SHA256

    5d8f837b81f47ce1733a322b5c5d46bf7f710b833505dd26beae73e22dda2a77

  • SHA512

    252769eae97d18a4000c5ba8a3d531a7f0bccf388600b30b97941095afc9ba9bbcf2eb880dc069c2cc854e3279a813bdf238f3bc1e9729cb554f624e27cfed77

  • SSDEEP

    24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNN:QHPkVOBTK

Malware Config

Targets

    • Target

      5d8f837b81f47ce1733a322b5c5d46bf7f710b833505dd26beae73e22dda2a77

    • Size

      1.3MB

    • MD5

      8a2dbefec715b475c092ef1aeea015c3

    • SHA1

      49a324ecdcf7f0d0bc526dcb5cc04f47e427f296

    • SHA256

      5d8f837b81f47ce1733a322b5c5d46bf7f710b833505dd26beae73e22dda2a77

    • SHA512

      252769eae97d18a4000c5ba8a3d531a7f0bccf388600b30b97941095afc9ba9bbcf2eb880dc069c2cc854e3279a813bdf238f3bc1e9729cb554f624e27cfed77

    • SSDEEP

      24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNN:QHPkVOBTK

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks