General

  • Target

    2024-05-29_c96242c5b4ed03a7f154e824119c2848_icedid

  • Size

    4.3MB

  • Sample

    240529-jecewafh89

  • MD5

    c96242c5b4ed03a7f154e824119c2848

  • SHA1

    7cc00ae44b32e7294bb206f06a38ebe16febd965

  • SHA256

    0579352a87ff035067c25c9e6fa490673dfa94da80a3562a94f7ce7735248c1b

  • SHA512

    a25e103fb17ec285255e09d851bc85d4f9787220e761625bb8d0a2386ca62d00dcbf6fe489b969b7af2e173b3dab3bdbc0f97e28f3e30ad2c37001755dec06ce

  • SSDEEP

    49152:oQZAdVyVT9n/Gg0P+WhodJKFBY+LoY2G/uW16js/+EoETONa4O8b8ITDnl/hFx+y:BGdVyVT9nOgmhcJoY+LoYLVWE+EoEq

Malware Config

Targets

    • Target

      2024-05-29_c96242c5b4ed03a7f154e824119c2848_icedid

    • Size

      4.3MB

    • MD5

      c96242c5b4ed03a7f154e824119c2848

    • SHA1

      7cc00ae44b32e7294bb206f06a38ebe16febd965

    • SHA256

      0579352a87ff035067c25c9e6fa490673dfa94da80a3562a94f7ce7735248c1b

    • SHA512

      a25e103fb17ec285255e09d851bc85d4f9787220e761625bb8d0a2386ca62d00dcbf6fe489b969b7af2e173b3dab3bdbc0f97e28f3e30ad2c37001755dec06ce

    • SSDEEP

      49152:oQZAdVyVT9n/Gg0P+WhodJKFBY+LoY2G/uW16js/+EoETONa4O8b8ITDnl/hFx+y:BGdVyVT9nOgmhcJoY+LoYLVWE+EoEq

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks