General

  • Target

    2024-03-26_fbaf1f693b52260383ed0dd4db707a87_icedid

  • Size

    3.4MB

  • Sample

    240326-n9pqxacf8z

  • MD5

    fbaf1f693b52260383ed0dd4db707a87

  • SHA1

    2b66820aaa87bd2d4f34171e0707c9b2a4b08aad

  • SHA256

    9302b37865560a12e474c5c2b40282a7b1becb43b16adfcf61aa16a373b8dfb7

  • SHA512

    f0e76137d830fae1348d007cbd2a2a5e4b2f302c41d129f59009a7cc929e118d1a6eb88ea684fbb89a0ea4f9dd4cb92cada8996b34097d8bb85e1f4181eb8059

  • SSDEEP

    49152:HCwsbCANnKXferL7Vwe/Gg0P+Wh+T9jaR3:iws2ANnKXOaeOgmh+c1

Malware Config

Targets

    • Target

      2024-03-26_fbaf1f693b52260383ed0dd4db707a87_icedid

    • Size

      3.4MB

    • MD5

      fbaf1f693b52260383ed0dd4db707a87

    • SHA1

      2b66820aaa87bd2d4f34171e0707c9b2a4b08aad

    • SHA256

      9302b37865560a12e474c5c2b40282a7b1becb43b16adfcf61aa16a373b8dfb7

    • SHA512

      f0e76137d830fae1348d007cbd2a2a5e4b2f302c41d129f59009a7cc929e118d1a6eb88ea684fbb89a0ea4f9dd4cb92cada8996b34097d8bb85e1f4181eb8059

    • SSDEEP

      49152:HCwsbCANnKXferL7Vwe/Gg0P+Wh+T9jaR3:iws2ANnKXOaeOgmh+c1

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks