General

  • Target

    2ce905195ccefec6ce2669c900e37c08b4d773ed0a7808686274295a20cf6eac

  • Size

    374KB

  • Sample

    240601-tzkbbshc67

  • MD5

    f42b3fff3efc76f31ffd6543d6ee9d2d

  • SHA1

    37157943ffb3e55e9d93bdc414f0ff58df2aa3ae

  • SHA256

    2ce905195ccefec6ce2669c900e37c08b4d773ed0a7808686274295a20cf6eac

  • SHA512

    80396687b45ffc8aad8c6a40be806d5ead0f2dcb8310cc59dcfc498686d1cd5789a9a9a91a373d4ecb93e67e7f94ab490fc16534760f0fb3cfc33b1afc63ef57

  • SSDEEP

    6144:NjO+L1Czkq7KTW1Dl/saQ9rtYm3okqoBSpH50KcddsVRZdaiYviQJqOC5BpQwmB:ZMzpOTY+JzYmE7R55udm7U5JTRwe

Malware Config

Targets

    • Target

      2ce905195ccefec6ce2669c900e37c08b4d773ed0a7808686274295a20cf6eac

    • Size

      374KB

    • MD5

      f42b3fff3efc76f31ffd6543d6ee9d2d

    • SHA1

      37157943ffb3e55e9d93bdc414f0ff58df2aa3ae

    • SHA256

      2ce905195ccefec6ce2669c900e37c08b4d773ed0a7808686274295a20cf6eac

    • SHA512

      80396687b45ffc8aad8c6a40be806d5ead0f2dcb8310cc59dcfc498686d1cd5789a9a9a91a373d4ecb93e67e7f94ab490fc16534760f0fb3cfc33b1afc63ef57

    • SSDEEP

      6144:NjO+L1Czkq7KTW1Dl/saQ9rtYm3okqoBSpH50KcddsVRZdaiYviQJqOC5BpQwmB:ZMzpOTY+JzYmE7R55udm7U5JTRwe

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks