Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811

  • Size

    4.6MB

  • Sample

    240405-et7r4scd79

  • MD5

    3dfe6ff32db8cd1e7f6b2fba4c308836

  • SHA1

    a609b1de628998746bd1f33616f2a3324764fb52

  • SHA256

    9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811

  • SHA512

    fa169e2f01ef3f970c1b79ced8f5040117e9dff32ff4f55c13681cf468fb020bac9b2c59d426f2e97f170fd95cfdb3704346dbc0ba75925658acd0c6d72609f2

  • SSDEEP

    98304:iws2ANnKXOaeOgmh707KZxDnDCa+WlcelG07E2MLM:4KXbeO7a2v5zyelw2M

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Targets

    • Target

      9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811

    • Size

      4.6MB

    • MD5

      3dfe6ff32db8cd1e7f6b2fba4c308836

    • SHA1

      a609b1de628998746bd1f33616f2a3324764fb52

    • SHA256

      9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811

    • SHA512

      fa169e2f01ef3f970c1b79ced8f5040117e9dff32ff4f55c13681cf468fb020bac9b2c59d426f2e97f170fd95cfdb3704346dbc0ba75925658acd0c6d72609f2

    • SSDEEP

      98304:iws2ANnKXOaeOgmh707KZxDnDCa+WlcelG07E2MLM:4KXbeO7a2v5zyelw2M

    Score
    10/10
    gh0stratpurplefoxpersistenceratrootkittrojanupx

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks