General

  • Target

    ad76789e989c410c92fb30949580805312c9f5484714af1f0a16ff864e234ef2

  • Size

    3.7MB

  • Sample

    240526-mtm2psfe3z

  • MD5

    abbdaf73eb6f0529a685d305bef836f8

  • SHA1

    c8950dcedd97954589549629923c7a3a5333e845

  • SHA256

    ad76789e989c410c92fb30949580805312c9f5484714af1f0a16ff864e234ef2

  • SHA512

    91eeb03c64bee7b1e8fb4c3e9d551c0b95d525f3bfd053c9db08b88a22bc030b29146ce257ec2c52278d0c3bb5df6e8713b24295eeaf27717bd3e00c61a65530

  • SSDEEP

    49152:yCwsbCANnKXferL7Vwe/Gg0P+WhI7tjrlkWNE3LOEpFRMwX7MLm:Vws2ANnKXOaeOgmhMwOEpFRpH

Malware Config

Targets

    • Target

      ad76789e989c410c92fb30949580805312c9f5484714af1f0a16ff864e234ef2

    • Size

      3.7MB

    • MD5

      abbdaf73eb6f0529a685d305bef836f8

    • SHA1

      c8950dcedd97954589549629923c7a3a5333e845

    • SHA256

      ad76789e989c410c92fb30949580805312c9f5484714af1f0a16ff864e234ef2

    • SHA512

      91eeb03c64bee7b1e8fb4c3e9d551c0b95d525f3bfd053c9db08b88a22bc030b29146ce257ec2c52278d0c3bb5df6e8713b24295eeaf27717bd3e00c61a65530

    • SSDEEP

      49152:yCwsbCANnKXferL7Vwe/Gg0P+WhI7tjrlkWNE3LOEpFRMwX7MLm:Vws2ANnKXOaeOgmhMwOEpFRpH

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks