General

  • Target

    1c6f3f3c7be6da2feb2bccb5a834df3317dce8f7b396547bcac4e69569fd575a

  • Size

    1.6MB

  • Sample

    240529-hfs9caee63

  • MD5

    79f1722a8bace71a7b13db8f26911284

  • SHA1

    7dd16d9302bcb471e728d5a6069104292d785515

  • SHA256

    1c6f3f3c7be6da2feb2bccb5a834df3317dce8f7b396547bcac4e69569fd575a

  • SHA512

    c7f8f8696b46da410c1771a9ac3197f6f03aa901fd95b2f971b3896e2c57e62251af8a19038bba61a9b7907c44e1e1dabf85383975b3817b63d1d52a1206f501

  • SSDEEP

    24576:jQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cV/FSyn2o:jQZAdVyVT9n/Gg0P+WhoCSyn2o

Malware Config

Targets

    • Target

      1c6f3f3c7be6da2feb2bccb5a834df3317dce8f7b396547bcac4e69569fd575a

    • Size

      1.6MB

    • MD5

      79f1722a8bace71a7b13db8f26911284

    • SHA1

      7dd16d9302bcb471e728d5a6069104292d785515

    • SHA256

      1c6f3f3c7be6da2feb2bccb5a834df3317dce8f7b396547bcac4e69569fd575a

    • SHA512

      c7f8f8696b46da410c1771a9ac3197f6f03aa901fd95b2f971b3896e2c57e62251af8a19038bba61a9b7907c44e1e1dabf85383975b3817b63d1d52a1206f501

    • SSDEEP

      24576:jQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cV/FSyn2o:jQZAdVyVT9n/Gg0P+WhoCSyn2o

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks