General
-
Target
Dropped Viruses.zip
-
Size
26.7MB
-
Sample
231202-cs71dahe25
-
MD5
4d38ef0874ff285bd877d4c27c5d04f8
-
SHA1
0911c1b1a8f90f8d0a890092031d42d3575ac547
-
SHA256
cb04f733c0a33674b5212a9d0a3ba2c893b00ca3775ea2b0e25f54a72a42a8d0
-
SHA512
de46688c2b910bbad2b6beda03aed551bc7f3d0b43195b4c32a4c8e052ad583b8e294f0d1e474cd7b75db12a60cd46885f836291db578b4fdfe6b272d29fc0b9
-
SSDEEP
786432:IwYhEyJcb5veOTvHYPZv+O24zNs/RvA/IDZ:oh9cb5vQhv+O24KZcIDZ
Malware Config
Targets
-
-
Target
Dropped Viruses.zip
-
Size
26.7MB
-
MD5
4d38ef0874ff285bd877d4c27c5d04f8
-
SHA1
0911c1b1a8f90f8d0a890092031d42d3575ac547
-
SHA256
cb04f733c0a33674b5212a9d0a3ba2c893b00ca3775ea2b0e25f54a72a42a8d0
-
SHA512
de46688c2b910bbad2b6beda03aed551bc7f3d0b43195b4c32a4c8e052ad583b8e294f0d1e474cd7b75db12a60cd46885f836291db578b4fdfe6b272d29fc0b9
-
SSDEEP
786432:IwYhEyJcb5veOTvHYPZv+O24zNs/RvA/IDZ:oh9cb5vQhv+O24KZcIDZ
Score1/10 -
-
-
Target
build.exe
-
Size
3.2MB
-
MD5
5bb4c4ac2c921b08e9b45d45eed7c2e6
-
SHA1
4c8d004bf6620bfea34802718a728e447891b9d6
-
SHA256
b45f56993b04a8506ec68e6cec23274d00af1eea04ad1215b003d140197fd876
-
SHA512
e940084bf9c2e5b82f2a3d81ad4a6c1eb312a52f231dc2cc4d6bd6ea83a51d932a23ca8f52613e2b1781ad9a695c54fcea2c1b301929dd06831a7e166bf7293b
-
SSDEEP
49152:PCwsbCANnKXferL7Vwe/Gg0P+WhvnsHyjtk2MYC5GD9A77:aws2ANnKXOaeOgmhvnsmtk2ab3
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
chdyz.exe
-
Size
1.0MB
-
MD5
d70197852e8577d4cb1f0dc8695a4337
-
SHA1
93d3d0801a219e08277d02276edd9cc7fcfe1cbc
-
SHA256
18408ab00fb2d0aecc9a6f65e1fe9510627e59274d954b135f69da34ac56579a
-
SHA512
347bb17029265566400e2225ec1f6a51f3e823b40a994dcdb5ab10e58d4da2d91f4f4bf11c12cfb1100b36425092f17d1937dfeb73cc68a7e7612972bf2aae6c
-
SSDEEP
24576:iM02vFb1W0ZJdlevZPamfhE/Um7D1fUggepjfJ+gaELmeZS:iM02vFb1TJAUmfhtIaEJo
Score1/10 -
-
-
Target
conhost.exe
-
Size
4.8MB
-
MD5
8a61c769b7d7cd8b0c0855b43985c7c9
-
SHA1
59e39a931804ab78de94983c05acd6e9b6c1b1bf
-
SHA256
c6929d1c6f0e27fc58b77686a7cbe125123b9c6efbec8168069462c732c458a4
-
SHA512
df48fc4743ab286609c2efd77db22b8b534e53c2f54719395c43bad883b80748cdb105041d5ee70f69c0bb818fe16fb3abe1d4884b130c5ea974ad783d470413
-
SSDEEP
98304:aws2ANnKXOaeOgmhZ15LUHSeWrUhMpiKsQOw69thZjeApkxJ0lU:wKXbeO7X19+1WMMpPcVZjpkf0lU
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
XMRig Miner payload
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
-
-
Target
demon.exe
-
Size
62KB
-
MD5
73053ed899ed813b3113ad2a588b446d
-
SHA1
6ad9be493226bb985a315f647899b819f2605b97
-
SHA256
35b0d522fd8abdbbadf0a04532a10afa082574a8847b8219c8e79dab769ae977
-
SHA512
854e1ed50784a7b74d6a19ae996822a2612c0dea11132c3f2e9c592c0c6da977de1871e62177b77933ba395dcb13f50605fd7d6ffa014873566ee84444f1bc10
-
SSDEEP
1536:DwJB0MxOSIoH7zrn96aAAomotxCO+sWiZ:MoUnrn96eomotxlWiZ
Score1/10 -
-
-
Target
tuc3.exe
-
Size
8.3MB
-
MD5
be50cdf66ff3a814a8d6ba4cef74ed4e
-
SHA1
589b4fdc2e731dfdfd8d02dd8967e3d538ba22ed
-
SHA256
3a589ebbe7208535a1e4a480a9b1f8f8b5bcace5bf7661713dcec5be5dcb8621
-
SHA512
d63c6b153ad2ccb6d0f7842345159ef0d45212aaf8ddc110525a28cea8bed8caec85acb5fff9c7da51b994c26726ad62c57fc401dbfda1fdd952d2d8a3a89bc0
-
SSDEEP
196608:xcklts/+GEKg9t52ty7kM4HnaKpWFhyOlxxLWm3SfBL6BMd:6Yts0j52oaH3Mrv9uZS4
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
update.exe
-
Size
15.3MB
-
MD5
8c5d426590cccc0ca0f27ebed418da4e
-
SHA1
040ec9658021981f3e1546ee0a9dd26e2da43f04
-
SHA256
cfb1170c66210f82f98157c0b2ea62e5372056c6a4d36e7f0db4dc9754ef00c3
-
SHA512
8ec23652539776123e4af1b2f7a384bc0b88f4020b935ca90ddaa8fade239785a181d7bc6f1a9ba6884793fbf997c9f2f920aa968153e1b72f201f38b269682b
-
SSDEEP
393216:J79rqs77+THrAQUSA1In5Q7JNp1ruYVOgDKg:t9OsGTLBUSAin5qPv
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload
-
Drops file in Drivers directory
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
7Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
7Scheduled Task/Job
1