General

  • Target

    2da6e0667e55e230ab74c5eaf521dc0c54fe299f6d4034aa49a346bf42307ef8

  • Size

    2.7MB

  • Sample

    240619-f6vhzsyhqr

  • MD5

    25dc8b25c54e8acc2d64be8932a52f7d

  • SHA1

    7806c8c3468a96f1e252275fd8c0ea1e5f88242f

  • SHA256

    2da6e0667e55e230ab74c5eaf521dc0c54fe299f6d4034aa49a346bf42307ef8

  • SHA512

    d103dcad2be61c90feff554b6ee7e475d496b68e9f66a3562463a288dab5dd80a60e2080d44448430aa5e591f2b019711236f13c51b69c31c18b91ad1c71979d

  • SSDEEP

    49152:QCwsbCANnKXferL7Vwe/Gg0P+WhlnzpEWoxvD:7ws2ANnKXOaeOgmhVKZxL

Malware Config

Targets

    • Target

      2da6e0667e55e230ab74c5eaf521dc0c54fe299f6d4034aa49a346bf42307ef8

    • Size

      2.7MB

    • MD5

      25dc8b25c54e8acc2d64be8932a52f7d

    • SHA1

      7806c8c3468a96f1e252275fd8c0ea1e5f88242f

    • SHA256

      2da6e0667e55e230ab74c5eaf521dc0c54fe299f6d4034aa49a346bf42307ef8

    • SHA512

      d103dcad2be61c90feff554b6ee7e475d496b68e9f66a3562463a288dab5dd80a60e2080d44448430aa5e591f2b019711236f13c51b69c31c18b91ad1c71979d

    • SSDEEP

      49152:QCwsbCANnKXferL7Vwe/Gg0P+WhlnzpEWoxvD:7ws2ANnKXOaeOgmhVKZxL

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks