General

  • Target

    045e0a542ba96c75b593a35c9bd747a3197aec75764f8f34e6fba9a51fefc7f1

  • Size

    3.3MB

  • Sample

    240525-x4tbksfg35

  • MD5

    c0e1eac3790db65a50780d3dfce303ed

  • SHA1

    9c8f6333e2a6cd6a58592e5840b795319899e2cd

  • SHA256

    045e0a542ba96c75b593a35c9bd747a3197aec75764f8f34e6fba9a51fefc7f1

  • SHA512

    51248adcbf891efee37b8191feb4cb1b0efb9d4fe283573f222c72723ea9de6d9c514d14cf3e0614cb681748327a6bae6feeb7c80d8d2cbc30863cc31cd02781

  • SSDEEP

    49152:T09XJt4HIN2H2tFvduySXe4ldYWE6rKhTeQyKp:gZJt4HINy2LkO4ldYWYEu

Malware Config

Targets

    • Target

      045e0a542ba96c75b593a35c9bd747a3197aec75764f8f34e6fba9a51fefc7f1

    • Size

      3.3MB

    • MD5

      c0e1eac3790db65a50780d3dfce303ed

    • SHA1

      9c8f6333e2a6cd6a58592e5840b795319899e2cd

    • SHA256

      045e0a542ba96c75b593a35c9bd747a3197aec75764f8f34e6fba9a51fefc7f1

    • SHA512

      51248adcbf891efee37b8191feb4cb1b0efb9d4fe283573f222c72723ea9de6d9c514d14cf3e0614cb681748327a6bae6feeb7c80d8d2cbc30863cc31cd02781

    • SSDEEP

      49152:T09XJt4HIN2H2tFvduySXe4ldYWE6rKhTeQyKp:gZJt4HINy2LkO4ldYWYEu

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks