Resubmissions

30-05-2024 15:20

240530-sq7vlacg41 10

29-05-2024 04:50

240529-fgnzxaba2x 10

General

  • Target

    2024-05-29_69599f6b37fb75a88be6121cbdf8cfe8_icedid

  • Size

    3.2MB

  • Sample

    240529-fgnzxaba2x

  • MD5

    69599f6b37fb75a88be6121cbdf8cfe8

  • SHA1

    c6538bd057e6de5059aaff542d053fbaf0b06671

  • SHA256

    9b6605e129266a2c4d0c8658dd5d1861a910f7610ba4c5aa33c78644b7875e61

  • SHA512

    4c7593dd79ea58b43c91de74d4e1272de8684915f5b9a61973d6e20b6dfbd9993d7e67aabfd03bb5c1118da86b4a5d5134e55f594e544c1522d97569aaa264ce

  • SSDEEP

    49152:yCwsbCANnKXferL7Vwe/Gg0P+WhZ53LBfL+5DGC:Vws2ANnKXOaeOgmhZ1LBfsDd

Malware Config

Targets

    • Target

      2024-05-29_69599f6b37fb75a88be6121cbdf8cfe8_icedid

    • Size

      3.2MB

    • MD5

      69599f6b37fb75a88be6121cbdf8cfe8

    • SHA1

      c6538bd057e6de5059aaff542d053fbaf0b06671

    • SHA256

      9b6605e129266a2c4d0c8658dd5d1861a910f7610ba4c5aa33c78644b7875e61

    • SHA512

      4c7593dd79ea58b43c91de74d4e1272de8684915f5b9a61973d6e20b6dfbd9993d7e67aabfd03bb5c1118da86b4a5d5134e55f594e544c1522d97569aaa264ce

    • SSDEEP

      49152:yCwsbCANnKXferL7Vwe/Gg0P+WhZ53LBfL+5DGC:Vws2ANnKXOaeOgmhZ1LBfsDd

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

Remote System Discovery

1
T1018

Tasks