General

  • Target

    ddb71d39a1c6d72af10d616604dd710e1a3a9e817bed4280bdb9350dd38dd35a

  • Size

    3.0MB

  • Sample

    240624-egeksszepq

  • MD5

    9c4d28b24e8a2e1134dc008439d5122e

  • SHA1

    eab3fd5b9665033679cd76b4a0bea55f4f3367c3

  • SHA256

    ddb71d39a1c6d72af10d616604dd710e1a3a9e817bed4280bdb9350dd38dd35a

  • SHA512

    33a23ff65c7a4f91ec8741f4d9c7c5cbb807102987156f727292db2e0b233981a17d127697b117e78b433cbdcd5bc8e11fb0a9a8f45439cbec807bb9cd42b9d3

  • SSDEEP

    49152:YCwsbCANnKXferL7Vwe/Gg0P+WhjsBHLitONhw9wMBIff:zws2ANnKXOaeOgmhjsdLAAIBs

Malware Config

Targets

    • Target

      ddb71d39a1c6d72af10d616604dd710e1a3a9e817bed4280bdb9350dd38dd35a

    • Size

      3.0MB

    • MD5

      9c4d28b24e8a2e1134dc008439d5122e

    • SHA1

      eab3fd5b9665033679cd76b4a0bea55f4f3367c3

    • SHA256

      ddb71d39a1c6d72af10d616604dd710e1a3a9e817bed4280bdb9350dd38dd35a

    • SHA512

      33a23ff65c7a4f91ec8741f4d9c7c5cbb807102987156f727292db2e0b233981a17d127697b117e78b433cbdcd5bc8e11fb0a9a8f45439cbec807bb9cd42b9d3

    • SSDEEP

      49152:YCwsbCANnKXferL7Vwe/Gg0P+WhjsBHLitONhw9wMBIff:zws2ANnKXOaeOgmhjsdLAAIBs

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks