General

  • Target

    74c8328aa88e1bd7f0e31b1f5b76f38c4361264ed95102c8416f42cdd41c0c80

  • Size

    1.3MB

  • Sample

    240618-lhzqpaxeqd

  • MD5

    5a4296be52773d17b2f7e5aa19c3bc84

  • SHA1

    1bbbdec2d90896aa376a32f0fad6493c53376995

  • SHA256

    74c8328aa88e1bd7f0e31b1f5b76f38c4361264ed95102c8416f42cdd41c0c80

  • SHA512

    6e5666767ab91055ee2b583402562be9a16b9db10c5c4e1e3b7244621415217d66ac5f3a49ea6a471727cb2c32339b472f738f30958cff9c6a21018c66273806

  • SSDEEP

    24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNA:QHPkVOBTK

Malware Config

Targets

    • Target

      74c8328aa88e1bd7f0e31b1f5b76f38c4361264ed95102c8416f42cdd41c0c80

    • Size

      1.3MB

    • MD5

      5a4296be52773d17b2f7e5aa19c3bc84

    • SHA1

      1bbbdec2d90896aa376a32f0fad6493c53376995

    • SHA256

      74c8328aa88e1bd7f0e31b1f5b76f38c4361264ed95102c8416f42cdd41c0c80

    • SHA512

      6e5666767ab91055ee2b583402562be9a16b9db10c5c4e1e3b7244621415217d66ac5f3a49ea6a471727cb2c32339b472f738f30958cff9c6a21018c66273806

    • SSDEEP

      24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNA:QHPkVOBTK

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks