Overview

overview

10

Static

static

3

db3ced5134...2e.exe

windows7-x64

10

db3ced5134...2e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    db3ced51341dc7d69c2607cf9457fad1ce59ed4df0130a0d81a3f108a75a642e.exe

  • Size

    2.5MB

  • Sample

    240524-m5lb9aef69

  • MD5

    8fe9da49093a8992fd2c8cfb8ee837e7

  • SHA1

    de972d673350643e830cbd82e1a233d627c31c2d

  • SHA256

    db3ced51341dc7d69c2607cf9457fad1ce59ed4df0130a0d81a3f108a75a642e

  • SHA512

    26e5da36b8a3680fe0a0d6807eb1de8abdf6d40b63bfecd25c3c119cb42018bf35f57929ffcdb3a97076f00d6da09cfbd7b3d1084f020a08ecc1b51ec29ac87f

  • SSDEEP

    24576:UCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHi:UCwsbCANnKXferL7Vwe/Gg0P+WhSG

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Targets

    • Target

      db3ced51341dc7d69c2607cf9457fad1ce59ed4df0130a0d81a3f108a75a642e.exe

    • Size

      2.5MB

    • MD5

      8fe9da49093a8992fd2c8cfb8ee837e7

    • SHA1

      de972d673350643e830cbd82e1a233d627c31c2d

    • SHA256

      db3ced51341dc7d69c2607cf9457fad1ce59ed4df0130a0d81a3f108a75a642e

    • SHA512

      26e5da36b8a3680fe0a0d6807eb1de8abdf6d40b63bfecd25c3c119cb42018bf35f57929ffcdb3a97076f00d6da09cfbd7b3d1084f020a08ecc1b51ec29ac87f

    • SSDEEP

      24576:UCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHi:UCwsbCANnKXferL7Vwe/Gg0P+WhSG

    Score
    10/10
    gh0stratpurplefoxpersistenceratrootkittrojanupx

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks