General

  • Target

    1facf04f63625a13452f7a170984772d3ea9bd0adb9974262a81527dc6da99b4

  • Size

    1.4MB

  • Sample

    240624-r3qleaxdlb

  • MD5

    f694ab08ee37176d2cb7dc0133d5046c

  • SHA1

    9617ec3f9d607217cc5a6bdf190486c74a2956c7

  • SHA256

    1facf04f63625a13452f7a170984772d3ea9bd0adb9974262a81527dc6da99b4

  • SHA512

    bbdd2c1895541ecced92157105943fe737980cc791921562d27415792bf5cf95075c53c5a3a5fe63dc3d28a02e2e0d567e3b28702deab0c665951f8e5667ce42

  • SSDEEP

    24576:F39WaOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:598HPkVOBTK

Malware Config

Targets

    • Target

      1facf04f63625a13452f7a170984772d3ea9bd0adb9974262a81527dc6da99b4

    • Size

      1.4MB

    • MD5

      f694ab08ee37176d2cb7dc0133d5046c

    • SHA1

      9617ec3f9d607217cc5a6bdf190486c74a2956c7

    • SHA256

      1facf04f63625a13452f7a170984772d3ea9bd0adb9974262a81527dc6da99b4

    • SHA512

      bbdd2c1895541ecced92157105943fe737980cc791921562d27415792bf5cf95075c53c5a3a5fe63dc3d28a02e2e0d567e3b28702deab0c665951f8e5667ce42

    • SSDEEP

      24576:F39WaOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:598HPkVOBTK

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks