Overview

overview

10

Static

static

3

67bd60438c...ff.exe

windows7-x64

10

67bd60438c...ff.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    67bd60438c1d5066664da8b70b815aaf65177b98be42a44e01bb14db0d6396ff

  • Size

    4.5MB

  • Sample

    240526-p94eqseh3y

  • MD5

    0828b8a9c9f4cb5b541f5a4c4ac0be51

  • SHA1

    2279e1e3e63c3e6bcfa4a036156bce84279a723f

  • SHA256

    67bd60438c1d5066664da8b70b815aaf65177b98be42a44e01bb14db0d6396ff

  • SHA512

    ae8a156722af167e33e3b5ecfb7d8e513cb13a89d274e82e986d1d79314f66b5f58973b6ade91d324476fd51a6e64fe8c76dd155ba8b27d9ee75e5f8c080d9d9

  • SSDEEP

    98304:8GdVyVT9nOgmhDILDmn220f6ijFULXeeDihnYcMoe0Ig:jWT9nO7+vmnX0fzjS9DSYcPOg

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Targets

    • Target

      67bd60438c1d5066664da8b70b815aaf65177b98be42a44e01bb14db0d6396ff

    • Size

      4.5MB

    • MD5

      0828b8a9c9f4cb5b541f5a4c4ac0be51

    • SHA1

      2279e1e3e63c3e6bcfa4a036156bce84279a723f

    • SHA256

      67bd60438c1d5066664da8b70b815aaf65177b98be42a44e01bb14db0d6396ff

    • SHA512

      ae8a156722af167e33e3b5ecfb7d8e513cb13a89d274e82e986d1d79314f66b5f58973b6ade91d324476fd51a6e64fe8c76dd155ba8b27d9ee75e5f8c080d9d9

    • SSDEEP

      98304:8GdVyVT9nOgmhDILDmn220f6ijFULXeeDihnYcMoe0Ig:jWT9nO7+vmnX0fzjS9DSYcPOg

    Score
    10/10
    gh0stratpurplefoxpersistenceratrootkittrojanupx

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks