General

  • Target

    f58b3c8d870a97f612371b54b54dfcc6563f0cc52668826b3d1d7ef555213864

  • Size

    1.5MB

  • Sample

    240602-mjqd3sae2v

  • MD5

    4c4b869a375bfa0d9224e6005bed6c0c

  • SHA1

    20d124fa90eccb48ecea686b81a7f5d5da078dad

  • SHA256

    f58b3c8d870a97f612371b54b54dfcc6563f0cc52668826b3d1d7ef555213864

  • SHA512

    41a9aed3ebd7dcabab7d159965e92c9e7d25044ab92197e884161e0f03858d1808516741a005989d67c9515559da939519f164d5e820653dcb7d6da8281be779

  • SSDEEP

    24576:oQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVcz:oQZAdVyVT9n/Gg0P+WhoFz

Malware Config

Targets

    • Target

      f58b3c8d870a97f612371b54b54dfcc6563f0cc52668826b3d1d7ef555213864

    • Size

      1.5MB

    • MD5

      4c4b869a375bfa0d9224e6005bed6c0c

    • SHA1

      20d124fa90eccb48ecea686b81a7f5d5da078dad

    • SHA256

      f58b3c8d870a97f612371b54b54dfcc6563f0cc52668826b3d1d7ef555213864

    • SHA512

      41a9aed3ebd7dcabab7d159965e92c9e7d25044ab92197e884161e0f03858d1808516741a005989d67c9515559da939519f164d5e820653dcb7d6da8281be779

    • SSDEEP

      24576:oQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVcz:oQZAdVyVT9n/Gg0P+WhoFz

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks