General

  • Target

    187f33346d17b0757add6517e33ffcfb9e6f84286a4cc75fe86f2d94416a6cab

  • Size

    3.3MB

  • Sample

    240529-h3mp3sfe52

  • MD5

    2b30bc0df3be2674e98d1e934de299dc

  • SHA1

    cced5f08a52285474ce75f2bf58706d1297875d4

  • SHA256

    187f33346d17b0757add6517e33ffcfb9e6f84286a4cc75fe86f2d94416a6cab

  • SHA512

    e65dcf9980c60c36946797f54155074aa8da32e287200a8ba32b9cbeefe3a7da20c3676b4778893a9b2f1a516085126377b16cb693221de52bdbae718cc87ede

  • SSDEEP

    24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN8I:QHPkVOBTKj

Malware Config

Targets

    • Target

      187f33346d17b0757add6517e33ffcfb9e6f84286a4cc75fe86f2d94416a6cab

    • Size

      3.3MB

    • MD5

      2b30bc0df3be2674e98d1e934de299dc

    • SHA1

      cced5f08a52285474ce75f2bf58706d1297875d4

    • SHA256

      187f33346d17b0757add6517e33ffcfb9e6f84286a4cc75fe86f2d94416a6cab

    • SHA512

      e65dcf9980c60c36946797f54155074aa8da32e287200a8ba32b9cbeefe3a7da20c3676b4778893a9b2f1a516085126377b16cb693221de52bdbae718cc87ede

    • SSDEEP

      24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN8I:QHPkVOBTKj

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks