General

  • Target

    2024-03-26_0d04e98436d048ddf0d8e3d74d79ecce_icedid

  • Size

    2.6MB

  • Sample

    240326-plyvcaab23

  • MD5

    0d04e98436d048ddf0d8e3d74d79ecce

  • SHA1

    14e943c71fb45c27d0e9e066385ca4f272845455

  • SHA256

    fa7dd47781f83306958f1ac1b902e9909a8b81a3934444e945dd44c83c021c00

  • SHA512

    dd400d524a73050ec59955e8819dc174eb69b25d24e8cb09b163d01e16e6ac2b7a3c4dd24b82d431935bcb8a1454ce9b5045740cd10a5da03ab99c46c833795f

  • SSDEEP

    49152:9CwsbCANnKXferL7Vwe/Gg0P+WhbYF7R2r+oT3:Aws2ANnKXOaeOgmhgR2SY

Malware Config

Targets

    • Target

      2024-03-26_0d04e98436d048ddf0d8e3d74d79ecce_icedid

    • Size

      2.6MB

    • MD5

      0d04e98436d048ddf0d8e3d74d79ecce

    • SHA1

      14e943c71fb45c27d0e9e066385ca4f272845455

    • SHA256

      fa7dd47781f83306958f1ac1b902e9909a8b81a3934444e945dd44c83c021c00

    • SHA512

      dd400d524a73050ec59955e8819dc174eb69b25d24e8cb09b163d01e16e6ac2b7a3c4dd24b82d431935bcb8a1454ce9b5045740cd10a5da03ab99c46c833795f

    • SSDEEP

      49152:9CwsbCANnKXferL7Vwe/Gg0P+WhbYF7R2r+oT3:Aws2ANnKXOaeOgmhgR2SY

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks