General

  • Target

    14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054

  • Size

    375KB

  • Sample

    240618-j45sqayern

  • MD5

    c51e84d4d53678605a1cb5feb6436c84

  • SHA1

    c5b5bbc10b0901923bf13690d9e575b41d86ac59

  • SHA256

    14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054

  • SHA512

    022d9ad8b1879ae110b8bb3ca6cde27d479ede1ff591f9ce8faea583e44e3d228f3f53558f68427be838a87a02a661227dd6290e35b6734411eeb6f14ea306f6

  • SSDEEP

    6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8NhY5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyxd

Malware Config

Targets

    • Target

      14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054

    • Size

      375KB

    • MD5

      c51e84d4d53678605a1cb5feb6436c84

    • SHA1

      c5b5bbc10b0901923bf13690d9e575b41d86ac59

    • SHA256

      14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054

    • SHA512

      022d9ad8b1879ae110b8bb3ca6cde27d479ede1ff591f9ce8faea583e44e3d228f3f53558f68427be838a87a02a661227dd6290e35b6734411eeb6f14ea306f6

    • SSDEEP

      6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8NhY5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyxd

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks