General

  • Target

    2024-03-18_794b766caad2c236c5aebec2e6242fb7_icedid

  • Size

    3.4MB

  • Sample

    240318-nwjmqsfh38

  • MD5

    794b766caad2c236c5aebec2e6242fb7

  • SHA1

    06514ab12d5236821138d33d542473f7e0928773

  • SHA256

    364bef9ac659e35838a79e580b137d355aec3613538685d46d7da479635ff6a3

  • SHA512

    c3256b4e7a3ed4e2b1b02ebc390ee77b084b0ccaf45cc896d3a4bc4d5114a112525b7f71f2ee46d51c67b4e367780c0a6724032c731e25734661d5528a6db8ac

  • SSDEEP

    49152:yCwsbCANnKXferL7Vwe/Gg0P+WhzT2pZ15s:Vws2ANnKXOaeOgmhzT0Rs

Malware Config

Targets

    • Target

      2024-03-18_794b766caad2c236c5aebec2e6242fb7_icedid

    • Size

      3.4MB

    • MD5

      794b766caad2c236c5aebec2e6242fb7

    • SHA1

      06514ab12d5236821138d33d542473f7e0928773

    • SHA256

      364bef9ac659e35838a79e580b137d355aec3613538685d46d7da479635ff6a3

    • SHA512

      c3256b4e7a3ed4e2b1b02ebc390ee77b084b0ccaf45cc896d3a4bc4d5114a112525b7f71f2ee46d51c67b4e367780c0a6724032c731e25734661d5528a6db8ac

    • SSDEEP

      49152:yCwsbCANnKXferL7Vwe/Gg0P+WhzT2pZ15s:Vws2ANnKXOaeOgmhzT0Rs

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks