General

  • Target

    019f79bad911018716678def3bc289b1.7z

  • Size

    529KB

  • Sample

    240618-rsefdsxelc

  • MD5

    019f79bad911018716678def3bc289b1

  • SHA1

    709536cba1206f133724f522944d4c3f098a577a

  • SHA256

    24f5ebdad00d567029760a3e364b2702d1402fe4dc6c7e0801824b02bd239c22

  • SHA512

    355f1610e2ab20e86546ee748f2a596467ccf72610b3df258aa384a4da918a7794c43462449183ef1faa17d9193e8305c24c520253189d2d4ba54cfb32bdd289

  • SSDEEP

    6144:k4GBTCX0LSFaEPsBjvraT/o/8qF3HfYakJNJC3EPDkv0niR6KeLsn/Rt3OLnIfS/:xdFBuEg0y3HApQ3EbkE/bwGzWzUlq7w

Malware Config

Targets

    • Target

      Phija.exe

    • Size

      539KB

    • MD5

      bd50ba38259a5c7a2a376ea20c16d895

    • SHA1

      a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd

    • SHA256

      37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad

    • SHA512

      30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66

    • SSDEEP

      12288:whymnwJFPNdgBAEHApqePJN1AmLM7uVq9sSYN:wUmwrl2Ao7sJNlM7ymsSYN

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Tasks