General

  • Target

    28f52ce76a5d18e9eaed3d0b1048bfe319d8a3e6a7c72f41ce6c50e63e9198ee

  • Size

    4.6MB

  • Sample

    240624-ebxjeswfqd

  • MD5

    f05ab641d3084f6fd759798e086cb052

  • SHA1

    d7028d2240572ecef7d1963cf1043b86d2cc79e2

  • SHA256

    28f52ce76a5d18e9eaed3d0b1048bfe319d8a3e6a7c72f41ce6c50e63e9198ee

  • SHA512

    724dc112562a3a67e42d93191a17c975e2a45219f4893c582f44e011ddfd14ea8f18fa1efc21cbd9c6af514b119c0cf23c6302cba2c32017e63c379d50e673b4

  • SSDEEP

    49152:N09XJt4HIN2H2tFvduyS4bXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHC4O8b8R:uZJt4HINy2Lk4bXsPN5kiQaZ56

Malware Config

Targets

    • Target

      28f52ce76a5d18e9eaed3d0b1048bfe319d8a3e6a7c72f41ce6c50e63e9198ee

    • Size

      4.6MB

    • MD5

      f05ab641d3084f6fd759798e086cb052

    • SHA1

      d7028d2240572ecef7d1963cf1043b86d2cc79e2

    • SHA256

      28f52ce76a5d18e9eaed3d0b1048bfe319d8a3e6a7c72f41ce6c50e63e9198ee

    • SHA512

      724dc112562a3a67e42d93191a17c975e2a45219f4893c582f44e011ddfd14ea8f18fa1efc21cbd9c6af514b119c0cf23c6302cba2c32017e63c379d50e673b4

    • SSDEEP

      49152:N09XJt4HIN2H2tFvduyS4bXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHC4O8b8R:uZJt4HINy2Lk4bXsPN5kiQaZ56

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks