General

  • Target

    5146b3073cb7fafb3bee76905cfba7f601b286e9488ba028d86cc0a906c54e27

  • Size

    2.6MB

  • Sample

    240619-d15qnaxdrj

  • MD5

    07601e5947a2582851ec9fd07e31c3d1

  • SHA1

    41f0e8798b53f77e8d271fe9dfa039b58288b588

  • SHA256

    5146b3073cb7fafb3bee76905cfba7f601b286e9488ba028d86cc0a906c54e27

  • SHA512

    aee4a9b7ae2de448b9089f2d03c8119636f39932c106f2eb27829e324a4c09691eb11eadfc3ef20a705a562f1a704e7a1fe59185fbe655a741719d1a2cb3f8d6

  • SSDEEP

    24576:eCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHz:eCwsbCANnKXferL7Vwe/Gg0P+Wh2gY

Malware Config

Targets

    • Target

      5146b3073cb7fafb3bee76905cfba7f601b286e9488ba028d86cc0a906c54e27

    • Size

      2.6MB

    • MD5

      07601e5947a2582851ec9fd07e31c3d1

    • SHA1

      41f0e8798b53f77e8d271fe9dfa039b58288b588

    • SHA256

      5146b3073cb7fafb3bee76905cfba7f601b286e9488ba028d86cc0a906c54e27

    • SHA512

      aee4a9b7ae2de448b9089f2d03c8119636f39932c106f2eb27829e324a4c09691eb11eadfc3ef20a705a562f1a704e7a1fe59185fbe655a741719d1a2cb3f8d6

    • SSDEEP

      24576:eCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHz:eCwsbCANnKXferL7Vwe/Gg0P+Wh2gY

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks