General

  • Target

    38bb2e05e80742d83af6c307569d478793176676ae68a585ce10ceba662f256d

  • Size

    1.4MB

  • Sample

    240529-gx8jxsch7v

  • MD5

    ff86d6d3bfbe26f635cfe353a2cc3b29

  • SHA1

    e663a5f66a8a5b3a89391293abc2979ecb31e944

  • SHA256

    38bb2e05e80742d83af6c307569d478793176676ae68a585ce10ceba662f256d

  • SHA512

    9596672e8baec3fbf5b996c1d18f688afab50a027ec4f4d47ec19b8e5a9af9ccd3560a9e6c5ce9c85b55574c42ffd2b99113d9493c68443121411f58273f3d8d

  • SSDEEP

    24576:qQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVQ2:qQZAdVyVT9n/Gg0P+Whow

Malware Config

Targets

    • Target

      38bb2e05e80742d83af6c307569d478793176676ae68a585ce10ceba662f256d

    • Size

      1.4MB

    • MD5

      ff86d6d3bfbe26f635cfe353a2cc3b29

    • SHA1

      e663a5f66a8a5b3a89391293abc2979ecb31e944

    • SHA256

      38bb2e05e80742d83af6c307569d478793176676ae68a585ce10ceba662f256d

    • SHA512

      9596672e8baec3fbf5b996c1d18f688afab50a027ec4f4d47ec19b8e5a9af9ccd3560a9e6c5ce9c85b55574c42ffd2b99113d9493c68443121411f58273f3d8d

    • SSDEEP

      24576:qQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVQ2:qQZAdVyVT9n/Gg0P+Whow

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks