General

  • Target

    2024-03-26_314584e001680da33f9f2e08f1ebbdc4_icedid

  • Size

    4.3MB

  • Sample

    240326-nnc5zshb23

  • MD5

    314584e001680da33f9f2e08f1ebbdc4

  • SHA1

    2ae0d7d8747c641fa7ff82b7196cced858410996

  • SHA256

    41da33b33d4d9ce118980d38e50d7c3be1caf21a3d75a512de7d91cef5d6bb35

  • SHA512

    f7fb82d4c75cc607cf508b2a48cbd22cf78ee4ed1c92ed0aab1c29e96bf42e7d44fdac67df8ddacc2ad7e1a288a7d2ee0f72a1745851a30618800f92978f40f3

  • SSDEEP

    98304:Aws2ANnKXOaeOgmhgR2YNTVqnPQuzrFH6qXHnIqhYY:WKXbeO7SRnNhqnZzrFaQHnWY

Malware Config

Targets

    • Target

      2024-03-26_314584e001680da33f9f2e08f1ebbdc4_icedid

    • Size

      4.3MB

    • MD5

      314584e001680da33f9f2e08f1ebbdc4

    • SHA1

      2ae0d7d8747c641fa7ff82b7196cced858410996

    • SHA256

      41da33b33d4d9ce118980d38e50d7c3be1caf21a3d75a512de7d91cef5d6bb35

    • SHA512

      f7fb82d4c75cc607cf508b2a48cbd22cf78ee4ed1c92ed0aab1c29e96bf42e7d44fdac67df8ddacc2ad7e1a288a7d2ee0f72a1745851a30618800f92978f40f3

    • SSDEEP

      98304:Aws2ANnKXOaeOgmhgR2YNTVqnPQuzrFH6qXHnIqhYY:WKXbeO7SRnNhqnZzrFaQHnWY

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks