General

  • Target

    966923fca125d611aee84f63dabccae716243182ec3b7c9ced7fb79fa0a86cc5

  • Size

    3.7MB

  • Sample

    240624-el4qgswhrb

  • MD5

    fa6cf03d7d1883e7d1c7e57f0aa31a54

  • SHA1

    dfdef5007f29d5cf659fa5c782fff17bdb8a46d2

  • SHA256

    966923fca125d611aee84f63dabccae716243182ec3b7c9ced7fb79fa0a86cc5

  • SHA512

    87e0841639657d0ba10d11901f52bf950e8239d6de3547a740ad21adf132b9aa69ef1a7332a399a79b6c803e790eba432d8c8b0ebfd82085bbfd05bf19c7bcff

  • SSDEEP

    49152:YCwsbCANnKXferL7Vwe/Gg0P+Whl6SSRrNRmH58Hjb5QzzskUMnc:zws2ANnKXOaeOgmhASR5Kn5QzJ

Malware Config

Targets

    • Target

      966923fca125d611aee84f63dabccae716243182ec3b7c9ced7fb79fa0a86cc5

    • Size

      3.7MB

    • MD5

      fa6cf03d7d1883e7d1c7e57f0aa31a54

    • SHA1

      dfdef5007f29d5cf659fa5c782fff17bdb8a46d2

    • SHA256

      966923fca125d611aee84f63dabccae716243182ec3b7c9ced7fb79fa0a86cc5

    • SHA512

      87e0841639657d0ba10d11901f52bf950e8239d6de3547a740ad21adf132b9aa69ef1a7332a399a79b6c803e790eba432d8c8b0ebfd82085bbfd05bf19c7bcff

    • SSDEEP

      49152:YCwsbCANnKXferL7Vwe/Gg0P+Whl6SSRrNRmH58Hjb5QzzskUMnc:zws2ANnKXOaeOgmhASR5Kn5QzJ

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks