General

  • Target

    92aad90a6167c0c5a11416c439c2d3e0545345873d51b5730527d9d0d9ef1646

  • Size

    11.3MB

  • Sample

    240625-ggh94atblh

  • MD5

    c5691b1d397b9a57fff6529fcce38e4d

  • SHA1

    dcb2cf055b70652d321da11e87d3b7b9e3511529

  • SHA256

    92aad90a6167c0c5a11416c439c2d3e0545345873d51b5730527d9d0d9ef1646

  • SHA512

    e0830ee30ca35b14fdeb40a5d026d982d16343739a2f3e1ac58091b4c5d939346dd18a804b9bf6ddfbb1fc76e6b5e7f5c224a9468615c0620cfaabda4e5de762

  • SSDEEP

    24576:iOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN+Fyzhyzi:rHPkVOBTKn

Malware Config

Targets

    • Target

      92aad90a6167c0c5a11416c439c2d3e0545345873d51b5730527d9d0d9ef1646

    • Size

      11.3MB

    • MD5

      c5691b1d397b9a57fff6529fcce38e4d

    • SHA1

      dcb2cf055b70652d321da11e87d3b7b9e3511529

    • SHA256

      92aad90a6167c0c5a11416c439c2d3e0545345873d51b5730527d9d0d9ef1646

    • SHA512

      e0830ee30ca35b14fdeb40a5d026d982d16343739a2f3e1ac58091b4c5d939346dd18a804b9bf6ddfbb1fc76e6b5e7f5c224a9468615c0620cfaabda4e5de762

    • SSDEEP

      24576:iOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN+Fyzhyzi:rHPkVOBTKn

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

1
T1018

Tasks