General

  • Target

    fb748d914440fd9e7ba56e983f36b66ebe4044e945576133460669d224c9e955

  • Size

    5.2MB

  • Sample

    240625-wck1fstepf

  • MD5

    e4ab283eed31e1d5dee4b4368aca1833

  • SHA1

    ab82eee38da6c647d6e53ac1de9f27e6bd7428e3

  • SHA256

    fb748d914440fd9e7ba56e983f36b66ebe4044e945576133460669d224c9e955

  • SHA512

    abfc8f2bfb94fe788ccc8659e4c2f30683a184311619c07c1b70abf1b8a45e6b84b628a134a7bddb777d96f7c4c812aee1899a6d98a4ef685a251bc43884c5ff

  • SSDEEP

    98304:gws2ANnKXOaeOgmh5nlEqtjhZ6AJQ47xVbGFpT+A:2KXbeO7fnlEY1Rt7xVm

Malware Config

Targets

    • Target

      fb748d914440fd9e7ba56e983f36b66ebe4044e945576133460669d224c9e955

    • Size

      5.2MB

    • MD5

      e4ab283eed31e1d5dee4b4368aca1833

    • SHA1

      ab82eee38da6c647d6e53ac1de9f27e6bd7428e3

    • SHA256

      fb748d914440fd9e7ba56e983f36b66ebe4044e945576133460669d224c9e955

    • SHA512

      abfc8f2bfb94fe788ccc8659e4c2f30683a184311619c07c1b70abf1b8a45e6b84b628a134a7bddb777d96f7c4c812aee1899a6d98a4ef685a251bc43884c5ff

    • SSDEEP

      98304:gws2ANnKXOaeOgmh5nlEqtjhZ6AJQ47xVbGFpT+A:2KXbeO7fnlEY1Rt7xVm

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks