General

  • Target

    6192453c9d8aabc7c26fc7142fe98ae7cb006b41909b3424d6cd2ff1be6e9ba0

  • Size

    3.4MB

  • Sample

    240625-wcxn9awglm

  • MD5

    354fabc893473ab639f6c73659548c99

  • SHA1

    a326c06a7842b2a7ad5186b9b3220c8c3322f9fc

  • SHA256

    6192453c9d8aabc7c26fc7142fe98ae7cb006b41909b3424d6cd2ff1be6e9ba0

  • SHA512

    c02b59ad6f2248b0eefb5df596e9ae544b0f413c0345e063fc7ba3270b27f0d3202c87c60f6de08002a1c8f527e5a1516d0985ed7c8bdad05328ddf43a0ed0fc

  • SSDEEP

    49152:UCwsbCANnKXferL7Vwe/Gg0P+Wh2ua7J3jrI+7TvuBoM:3ws2ANnKXOaeOgmhhc3jEPBoM

Malware Config

Targets

    • Target

      6192453c9d8aabc7c26fc7142fe98ae7cb006b41909b3424d6cd2ff1be6e9ba0

    • Size

      3.4MB

    • MD5

      354fabc893473ab639f6c73659548c99

    • SHA1

      a326c06a7842b2a7ad5186b9b3220c8c3322f9fc

    • SHA256

      6192453c9d8aabc7c26fc7142fe98ae7cb006b41909b3424d6cd2ff1be6e9ba0

    • SHA512

      c02b59ad6f2248b0eefb5df596e9ae544b0f413c0345e063fc7ba3270b27f0d3202c87c60f6de08002a1c8f527e5a1516d0985ed7c8bdad05328ddf43a0ed0fc

    • SSDEEP

      49152:UCwsbCANnKXferL7Vwe/Gg0P+Wh2ua7J3jrI+7TvuBoM:3ws2ANnKXOaeOgmhhc3jEPBoM

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks