General

  • Target

    2bb069d13ceebe43d6d5bfb3cedde332183eef70fc7e141a4d385690a3d9e383

  • Size

    2.0MB

  • Sample

    240603-czc4ksgb4x

  • MD5

    f08d1a4dd775d38be636e75baaa28f49

  • SHA1

    748aef08596984933b8a8b8f5b4d6b538b8842e8

  • SHA256

    2bb069d13ceebe43d6d5bfb3cedde332183eef70fc7e141a4d385690a3d9e383

  • SHA512

    6da63f3cee607da7bd95ef0bf1e92b1350b1ff9f7c46402b6bbc5618bbcfe354a5357d0ab0fb404d60195d7c1b47d3e058bbfcf61130ce404c2c662b7d704ab2

  • SSDEEP

    49152:j09XJt4HIN2H2tFvduySlpeIGZPItx2apeapelI:wZJt4HINy2LkKYtUvlI

Malware Config

Targets

    • Target

      2bb069d13ceebe43d6d5bfb3cedde332183eef70fc7e141a4d385690a3d9e383

    • Size

      2.0MB

    • MD5

      f08d1a4dd775d38be636e75baaa28f49

    • SHA1

      748aef08596984933b8a8b8f5b4d6b538b8842e8

    • SHA256

      2bb069d13ceebe43d6d5bfb3cedde332183eef70fc7e141a4d385690a3d9e383

    • SHA512

      6da63f3cee607da7bd95ef0bf1e92b1350b1ff9f7c46402b6bbc5618bbcfe354a5357d0ab0fb404d60195d7c1b47d3e058bbfcf61130ce404c2c662b7d704ab2

    • SSDEEP

      49152:j09XJt4HIN2H2tFvduySlpeIGZPItx2apeapelI:wZJt4HINy2LkKYtUvlI

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks