Overview

overview

10

Static

static

3

355b800e38...5b.exe

windows7-x64

10

355b800e38...5b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    355b800e3849b14d0788f45cd43efd5509a1dfb2069009142f7e93b3920fc75b

  • Size

    3.6MB

  • Sample

    240526-lzrreaed41

  • MD5

    c73ea6e67c19ddfb06bc9428b86c9b79

  • SHA1

    854e463a862edff3bbd35c37ee96b411cdce7189

  • SHA256

    355b800e3849b14d0788f45cd43efd5509a1dfb2069009142f7e93b3920fc75b

  • SHA512

    288f0d19a7938df4d9f44359af75db239e4e2f19e5136a89cb2c5b0a5b2ee9c0d50ef8bc2218d8855843025c3872cd8f8dc70908b669604a189a5386b4f2affc

  • SSDEEP

    49152:ZCwsbCANnKXferL7Vwe/Gg0P+WhR2kIorv0sI+AiIZ:Uws2ANnKXOaeOgmhi8v038IZ

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Targets

    • Target

      355b800e3849b14d0788f45cd43efd5509a1dfb2069009142f7e93b3920fc75b

    • Size

      3.6MB

    • MD5

      c73ea6e67c19ddfb06bc9428b86c9b79

    • SHA1

      854e463a862edff3bbd35c37ee96b411cdce7189

    • SHA256

      355b800e3849b14d0788f45cd43efd5509a1dfb2069009142f7e93b3920fc75b

    • SHA512

      288f0d19a7938df4d9f44359af75db239e4e2f19e5136a89cb2c5b0a5b2ee9c0d50ef8bc2218d8855843025c3872cd8f8dc70908b669604a189a5386b4f2affc

    • SSDEEP

      49152:ZCwsbCANnKXferL7Vwe/Gg0P+WhR2kIorv0sI+AiIZ:Uws2ANnKXOaeOgmhi8v038IZ

    Score
    10/10
    gh0stratpurplefoxpersistenceratrootkittrojanupx

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks