General

  • Target

    5a2012a9ecbd39ee6215b817a2659e3c293449a28a9377f61ce4ebe125fbcfba

  • Size

    3.5MB

  • Sample

    240525-ypys7agd2w

  • MD5

    85d298849f6bbb4e7580648190be874e

  • SHA1

    2ee89c5141c411546d7c81fe939c260503eced08

  • SHA256

    5a2012a9ecbd39ee6215b817a2659e3c293449a28a9377f61ce4ebe125fbcfba

  • SHA512

    d9cd39936fd94c1e088cc6df5cab5a68475fef6e5808d5f9914086d13a38ffb71b636bd329ba42389a32f898d1174c12955b015f9b9147857c445ec882d8df92

  • SSDEEP

    49152:dCwsbCANnKXferL7Vwe/Gg0P+Wht46c8RWC35YdqHDeYC/:gws2ANnKXOaeOgmht46JRSdqHDbs

Malware Config

Targets

    • Target

      5a2012a9ecbd39ee6215b817a2659e3c293449a28a9377f61ce4ebe125fbcfba

    • Size

      3.5MB

    • MD5

      85d298849f6bbb4e7580648190be874e

    • SHA1

      2ee89c5141c411546d7c81fe939c260503eced08

    • SHA256

      5a2012a9ecbd39ee6215b817a2659e3c293449a28a9377f61ce4ebe125fbcfba

    • SHA512

      d9cd39936fd94c1e088cc6df5cab5a68475fef6e5808d5f9914086d13a38ffb71b636bd329ba42389a32f898d1174c12955b015f9b9147857c445ec882d8df92

    • SSDEEP

      49152:dCwsbCANnKXferL7Vwe/Gg0P+Wht46c8RWC35YdqHDeYC/:gws2ANnKXOaeOgmht46JRSdqHDbs

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks