Resubmissions

23-05-2024 02:37

240523-c36v3aah3v 10

23-05-2024 02:32

240523-c1n78saf9v 6

General

  • Target

    test.msi

  • Size

    2.1MB

  • Sample

    240523-c36v3aah3v

  • MD5

    bfd00224b00b9f6f07f424f75cff6836

  • SHA1

    2bf889bcc9b413cec07925bac78610391faecaad

  • SHA256

    c6b1b984ea4cd7a1ac0c717afe91c3cc78bd2893f7e6a0ad661f7869d4289635

  • SHA512

    eab303bd75a18948c7d2e0572f7ffbc1f9165972ec06163bd7e7274b3b743103b3d160d0c1d5b4a0d92735f34f6f6c6a5b9ec6e9c7fbc33494eaf18f564dbd90

  • SSDEEP

    49152:p5yULiNbhfDc7yEq9WRhd9Itc71hE7T8XX5UpAH7uidqFWV63hTI97qjfAj:e05q2t7vGA5bkWkRTI9qjY

Malware Config

Targets

    • Target

      test.msi

    • Size

      2.1MB

    • MD5

      bfd00224b00b9f6f07f424f75cff6836

    • SHA1

      2bf889bcc9b413cec07925bac78610391faecaad

    • SHA256

      c6b1b984ea4cd7a1ac0c717afe91c3cc78bd2893f7e6a0ad661f7869d4289635

    • SHA512

      eab303bd75a18948c7d2e0572f7ffbc1f9165972ec06163bd7e7274b3b743103b3d160d0c1d5b4a0d92735f34f6f6c6a5b9ec6e9c7fbc33494eaf18f564dbd90

    • SSDEEP

      49152:p5yULiNbhfDc7yEq9WRhd9Itc71hE7T8XX5UpAH7uidqFWV63hTI97qjfAj:e05q2t7vGA5bkWkRTI9qjY

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

7
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

7
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Tasks