General

  • Target

    bd7195ea47030968364530fc1bf2c38a40361902457e81106c273295d5d43515

  • Size

    1.3MB

  • Sample

    240623-lp2tma1hlm

  • MD5

    009c42089b3aace87b75b1fe469c5109

  • SHA1

    7f2db219b5c36801ffae19247c4e1a69dff41058

  • SHA256

    bd7195ea47030968364530fc1bf2c38a40361902457e81106c273295d5d43515

  • SHA512

    ccd3669714f4a2c95fa317f6587287857c07c50cac55303898ec43d7d1da4437eabe471ab36066cf51c0b725c48fe5289b8ecf5530443f83c1d929096b4a369d

  • SSDEEP

    24576:iOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN+Fyzhyz:rHPkVOBTK

Malware Config

Targets

    • Target

      bd7195ea47030968364530fc1bf2c38a40361902457e81106c273295d5d43515

    • Size

      1.3MB

    • MD5

      009c42089b3aace87b75b1fe469c5109

    • SHA1

      7f2db219b5c36801ffae19247c4e1a69dff41058

    • SHA256

      bd7195ea47030968364530fc1bf2c38a40361902457e81106c273295d5d43515

    • SHA512

      ccd3669714f4a2c95fa317f6587287857c07c50cac55303898ec43d7d1da4437eabe471ab36066cf51c0b725c48fe5289b8ecf5530443f83c1d929096b4a369d

    • SSDEEP

      24576:iOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN+Fyzhyz:rHPkVOBTK

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks