General

  • Target

    94eb81082f081690654c8ab9186876762639302c5dd70b8785b4a18c9aed1c82

  • Size

    2.3MB

  • Sample

    240529-g39deaea34

  • MD5

    a3c1eb89784badec8693d1bff034ae59

  • SHA1

    3537da6d4093360d2391f286178f7f3554da03ef

  • SHA256

    94eb81082f081690654c8ab9186876762639302c5dd70b8785b4a18c9aed1c82

  • SHA512

    0765d885978aa47448dcb3b495bd54a3fab3aeae8b7d351f7eb3ee9da0ab2db377f390d59b8c78494d8657c782a0510251b23cd1eb12c31fd2e5dae1bb4e46e2

  • SSDEEP

    49152:k09XJt4HIN2H2tFvduySLILWqOlSCsfKOz:JZJt4HINy2LkLop0SCsfz

Malware Config

Targets

    • Target

      94eb81082f081690654c8ab9186876762639302c5dd70b8785b4a18c9aed1c82

    • Size

      2.3MB

    • MD5

      a3c1eb89784badec8693d1bff034ae59

    • SHA1

      3537da6d4093360d2391f286178f7f3554da03ef

    • SHA256

      94eb81082f081690654c8ab9186876762639302c5dd70b8785b4a18c9aed1c82

    • SHA512

      0765d885978aa47448dcb3b495bd54a3fab3aeae8b7d351f7eb3ee9da0ab2db377f390d59b8c78494d8657c782a0510251b23cd1eb12c31fd2e5dae1bb4e46e2

    • SSDEEP

      49152:k09XJt4HIN2H2tFvduySLILWqOlSCsfKOz:JZJt4HINy2LkLop0SCsfz

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks