General

  • Target

    10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5

  • Size

    2.2MB

  • Sample

    240625-wfb7qawhmn

  • MD5

    95a54cd814984f07c952c581915d0948

  • SHA1

    e6c8f6c28d581c14587714fac1b29e740dd94b48

  • SHA256

    10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5

  • SHA512

    71db35fe9375f154053b6ce761dbfd8b3aa2e0c85c1d61301629fc763f5d207cb1ea34a783e4420495ee2f3dd547ba09344ad3995588f13740ace33927495428

  • SSDEEP

    24576:LQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVZnGsAJuH0:LQZAdVyVT9n/Gg0P+WhoIGlN

Malware Config

Targets

    • Target

      10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5

    • Size

      2.2MB

    • MD5

      95a54cd814984f07c952c581915d0948

    • SHA1

      e6c8f6c28d581c14587714fac1b29e740dd94b48

    • SHA256

      10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5

    • SHA512

      71db35fe9375f154053b6ce761dbfd8b3aa2e0c85c1d61301629fc763f5d207cb1ea34a783e4420495ee2f3dd547ba09344ad3995588f13740ace33927495428

    • SSDEEP

      24576:LQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVZnGsAJuH0:LQZAdVyVT9n/Gg0P+WhoIGlN

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks