General

  • Target

    3311b8c3707f75831aa443db406c71e0.bin

  • Size

    474KB

  • Sample

    240605-cav8vsbe46

  • MD5

    dbb92372d9fa06dcadfe23858ea37828

  • SHA1

    c2dd937a79aeee7e9023727b6405eabbb3844e99

  • SHA256

    cb36447214f19713d40b07de0ed7e5b828f5961a2970eb5409b90d073a05f312

  • SHA512

    69e2259a5bc4af47739a4b778493efe5d4b0a8ae16964a352395f2c3c2a0316e476964042bc6f7504f9611babeea13024e787884b263406e20c1bcac820a97ee

  • SSDEEP

    12288:BEw58ga6Gk9eN3HvwOlbhRd+iIl3KzoFBv:iw58gX78fw4bhRsllSoFBv

Malware Config

Targets

    • Target

      364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7.exe

    • Size

      475KB

    • MD5

      3311b8c3707f75831aa443db406c71e0

    • SHA1

      ad5ebc62c45287e67febc164b7b7b876b82b6a5d

    • SHA256

      364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7

    • SHA512

      86cc39e7c4b82f03d0f4b3f2d7021626b7294c0ec909152a457f73ce829923934daae696ffd5306edde43f807f1ed35261e25093e47c8645a5d37317ec87c19f

    • SSDEEP

      6144:tSPB0Gyvn8di2sPXZ/9h2r2D6LfMlh4Egky/96sggH4S9K3iwJywrq/eY762d5UO:MU8A/62WOKkU6sgK0y8YW2k0QnY3ZA

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks