General

  • Target

    26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975

  • Size

    1.8MB

  • Sample

    240619-d15qnashmc

  • MD5

    13864d68f3a28742b3c0b0553848b7de

  • SHA1

    fe426400213b114ac6d0771fefb4f81e613aa36a

  • SHA256

    26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975

  • SHA512

    2a18fb43903d29c04b6790c6d8ed2de1e808e5727c40ebd56c1e645c88ef196d0b3ff23584db93d0f1e6d47e7097e63e49fea6d140b6643bb2012ffc38171b7e

  • SSDEEP

    49152:c09XJt4HIN2H2tFvduySOpe724CKUZS+VlnupeapeeU:BZJt4HINy2Lkr7a1vr

Malware Config

Targets

    • Target

      26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975

    • Size

      1.8MB

    • MD5

      13864d68f3a28742b3c0b0553848b7de

    • SHA1

      fe426400213b114ac6d0771fefb4f81e613aa36a

    • SHA256

      26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975

    • SHA512

      2a18fb43903d29c04b6790c6d8ed2de1e808e5727c40ebd56c1e645c88ef196d0b3ff23584db93d0f1e6d47e7097e63e49fea6d140b6643bb2012ffc38171b7e

    • SSDEEP

      49152:c09XJt4HIN2H2tFvduySOpe724CKUZS+VlnupeapeeU:BZJt4HINy2Lkr7a1vr

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks