General

  • Target

    6487d399238929e022fad0758583761396fd93d6695ae5f15c640f8085064942

  • Size

    2.0MB

  • Sample

    240529-k7dn3sae56

  • MD5

    d914533f787169f175c3f6823837ce7e

  • SHA1

    76c47b2cef7410169442efd0d26f12aa0d76b551

  • SHA256

    6487d399238929e022fad0758583761396fd93d6695ae5f15c640f8085064942

  • SHA512

    7bfeb40e86977059e52e911091dc4b612d880e690351d0d7674dc66b14c5d2014984193048dbfc70862e1bde3ecc44680ad20d005429d4f161a0b7c397f845f2

  • SSDEEP

    49152:TQZAdVyVT9n/Gg0P+Who5peicZPItx2apeapelI:UGdVyVT9nOgmhhittUvlI

Malware Config

Targets

    • Target

      6487d399238929e022fad0758583761396fd93d6695ae5f15c640f8085064942

    • Size

      2.0MB

    • MD5

      d914533f787169f175c3f6823837ce7e

    • SHA1

      76c47b2cef7410169442efd0d26f12aa0d76b551

    • SHA256

      6487d399238929e022fad0758583761396fd93d6695ae5f15c640f8085064942

    • SHA512

      7bfeb40e86977059e52e911091dc4b612d880e690351d0d7674dc66b14c5d2014984193048dbfc70862e1bde3ecc44680ad20d005429d4f161a0b7c397f845f2

    • SSDEEP

      49152:TQZAdVyVT9n/Gg0P+Who5peicZPItx2apeapelI:UGdVyVT9nOgmhhittUvlI

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks