General

  • Target

    2024-03-18_dba447255cfb41e208a64d7e3b6c3d48_icedid

  • Size

    3.0MB

  • Sample

    240318-p3qkashb67

  • MD5

    dba447255cfb41e208a64d7e3b6c3d48

  • SHA1

    4adf147088243c775dcbb10a14baa10c9b2b34b2

  • SHA256

    ca719b9b347fafa7d0229cd23bb99b14b09aff81a900a6e9b1c6cba498c686e2

  • SHA512

    1901b274b8e6c5c1d597ab2dd764511fcacc3ee4aa2f1065ab834e501193b6b228952817360e9ef6589a429fba679f9048f18edd57e5e53ec2e05935694c0f40

  • SSDEEP

    49152:yCwsbCANnKXferL7Vwe/Gg0P+WhaUasqcVh:Vws2ANnKXOaeOgmhaPFmh

Malware Config

Targets

    • Target

      2024-03-18_dba447255cfb41e208a64d7e3b6c3d48_icedid

    • Size

      3.0MB

    • MD5

      dba447255cfb41e208a64d7e3b6c3d48

    • SHA1

      4adf147088243c775dcbb10a14baa10c9b2b34b2

    • SHA256

      ca719b9b347fafa7d0229cd23bb99b14b09aff81a900a6e9b1c6cba498c686e2

    • SHA512

      1901b274b8e6c5c1d597ab2dd764511fcacc3ee4aa2f1065ab834e501193b6b228952817360e9ef6589a429fba679f9048f18edd57e5e53ec2e05935694c0f40

    • SSDEEP

      49152:yCwsbCANnKXferL7Vwe/Gg0P+WhaUasqcVh:Vws2ANnKXOaeOgmhaPFmh

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks