General

  • Target

    2024-05-29_dea95c01bd90a9929973dd9b1fbafa73_icedid

  • Size

    4.2MB

  • Sample

    240529-jgchnafc5y

  • MD5

    dea95c01bd90a9929973dd9b1fbafa73

  • SHA1

    72591310d5a4bf328dc69575a0ab6de8f3e79e65

  • SHA256

    cd765019fe6a9d1edff28906a4000b4dbe7c3c049a7dea1d775eb5a7131fbf7a

  • SHA512

    5885b26120a8c4870c0de552bf33870388ccc4f6d08feec0e8c8099dbf840ba00fdeca569e658eae5873c05724155873bef2fdecf2a1d9be2fc9ab1107f87f15

  • SSDEEP

    49152:pQZAdVyVT9n/Gg0P+WhoGmigy13TW4jFCs2pfRdO8u60N1xcdd9gVIkdqfvEAkq/:6GdVyVT9nOgmhQ3Ts21i8WN1igVIf6O

Malware Config

Targets

    • Target

      2024-05-29_dea95c01bd90a9929973dd9b1fbafa73_icedid

    • Size

      4.2MB

    • MD5

      dea95c01bd90a9929973dd9b1fbafa73

    • SHA1

      72591310d5a4bf328dc69575a0ab6de8f3e79e65

    • SHA256

      cd765019fe6a9d1edff28906a4000b4dbe7c3c049a7dea1d775eb5a7131fbf7a

    • SHA512

      5885b26120a8c4870c0de552bf33870388ccc4f6d08feec0e8c8099dbf840ba00fdeca569e658eae5873c05724155873bef2fdecf2a1d9be2fc9ab1107f87f15

    • SSDEEP

      49152:pQZAdVyVT9n/Gg0P+WhoGmigy13TW4jFCs2pfRdO8u60N1xcdd9gVIkdqfvEAkq/:6GdVyVT9nOgmhQ3Ts21i8WN1igVIf6O

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks