General

  • Target

    fc991045ca4f0b0bb242670f6f31b99af2beb818aaa03da33b5e880fdb1b5fa4

  • Size

    2.4MB

  • Sample

    240619-f6vhzsyhqq

  • MD5

    095d0f2d5acffcbf47251de8dcbe6de7

  • SHA1

    24a287a8fda23a29339a8f43d439a82b91407636

  • SHA256

    fc991045ca4f0b0bb242670f6f31b99af2beb818aaa03da33b5e880fdb1b5fa4

  • SHA512

    03d374629ba8826b275f0efaab6f0b530ddc23c94e73fc5ef3bc951a6bff61d0969b1acf7d44d06909f68f9569b166bcf56207e9b77dce20ecd6f0f970d5bd54

  • SSDEEP

    49152:NCwsbCANnKXferL7Vwe/Gg0P+WhAjzlEa:wws2ANnKXOaeOgmhAnlEa

Malware Config

Targets

    • Target

      fc991045ca4f0b0bb242670f6f31b99af2beb818aaa03da33b5e880fdb1b5fa4

    • Size

      2.4MB

    • MD5

      095d0f2d5acffcbf47251de8dcbe6de7

    • SHA1

      24a287a8fda23a29339a8f43d439a82b91407636

    • SHA256

      fc991045ca4f0b0bb242670f6f31b99af2beb818aaa03da33b5e880fdb1b5fa4

    • SHA512

      03d374629ba8826b275f0efaab6f0b530ddc23c94e73fc5ef3bc951a6bff61d0969b1acf7d44d06909f68f9569b166bcf56207e9b77dce20ecd6f0f970d5bd54

    • SSDEEP

      49152:NCwsbCANnKXferL7Vwe/Gg0P+WhAjzlEa:wws2ANnKXOaeOgmhAnlEa

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks