General

  • Target

    2fcd373ca643d84ddf08d9ce16687fc36f8615316f138f8a92725b2cc9a835a8

  • Size

    1.3MB

  • Sample

    240529-rhcttahf98

  • MD5

    e6fc0c323c92002bc010b35543409a62

  • SHA1

    2871e5dba037e0d713786404607776fc0556c492

  • SHA256

    2fcd373ca643d84ddf08d9ce16687fc36f8615316f138f8a92725b2cc9a835a8

  • SHA512

    375105e119f3d7168b8bc8e047005a76e417689192778b42da6aae7c81aa62b3136a6ecd0ce706b7b7c3953224a94c23d5af79108645608e4b185dd5c35cbb48

  • SSDEEP

    24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNk:QHPkVOBTK

Malware Config

Targets

    • Target

      2fcd373ca643d84ddf08d9ce16687fc36f8615316f138f8a92725b2cc9a835a8

    • Size

      1.3MB

    • MD5

      e6fc0c323c92002bc010b35543409a62

    • SHA1

      2871e5dba037e0d713786404607776fc0556c492

    • SHA256

      2fcd373ca643d84ddf08d9ce16687fc36f8615316f138f8a92725b2cc9a835a8

    • SHA512

      375105e119f3d7168b8bc8e047005a76e417689192778b42da6aae7c81aa62b3136a6ecd0ce706b7b7c3953224a94c23d5af79108645608e4b185dd5c35cbb48

    • SSDEEP

      24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNk:QHPkVOBTK

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks