General

  • Target

    a3fd6992d8756426d63da3a47999bd55c40c31675d8bb70f4a61498da34f680d

  • Size

    2.8MB

  • Sample

    240625-v5la9awcrp

  • MD5

    734e25264950f644206c49f08f117db9

  • SHA1

    e3691b759931deb6babd64a617edad278a8cc66c

  • SHA256

    a3fd6992d8756426d63da3a47999bd55c40c31675d8bb70f4a61498da34f680d

  • SHA512

    df46441dc09af8ffbb63481e8783b2cea50f5141adb149d356293cf799d552a58f51bf651badcfc4a45673554af36ca6ea24e0a858b0b38cf6888707b8386472

  • SSDEEP

    49152:QCwsbCANnKXferL7Vwe/Gg0P+WhrfDmn2F:7ws2ANnKXOaeOgmhrfDmn2F

Malware Config

Targets

    • Target

      a3fd6992d8756426d63da3a47999bd55c40c31675d8bb70f4a61498da34f680d

    • Size

      2.8MB

    • MD5

      734e25264950f644206c49f08f117db9

    • SHA1

      e3691b759931deb6babd64a617edad278a8cc66c

    • SHA256

      a3fd6992d8756426d63da3a47999bd55c40c31675d8bb70f4a61498da34f680d

    • SHA512

      df46441dc09af8ffbb63481e8783b2cea50f5141adb149d356293cf799d552a58f51bf651badcfc4a45673554af36ca6ea24e0a858b0b38cf6888707b8386472

    • SSDEEP

      49152:QCwsbCANnKXferL7Vwe/Gg0P+WhrfDmn2F:7ws2ANnKXOaeOgmhrfDmn2F

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks