General

  • Target

    3c9898a5c4f5d87e890669781609c1d529973757d75a18217c3fe95bacafbcb3

  • Size

    5.2MB

  • Sample

    240625-wgg5cstgkg

  • MD5

    20e57be9fa1a3c4e8141df884a0d6cee

  • SHA1

    6953c1f952e67e31a717e7ff897c5b03d49416ff

  • SHA256

    3c9898a5c4f5d87e890669781609c1d529973757d75a18217c3fe95bacafbcb3

  • SHA512

    f7daf613d7ccd70d2b5b2e51e86062a2910ea739f90825cd5a30d1cb2dcc2770988b48bac457b2bb03689ba57a153157c33798fcbdfa73b5edc4bca8be6394a3

  • SSDEEP

    98304:tws2ANnKXOaeOgmhonlEfvUMhk3eD31VMejSkxlteB:3KXbeO7GnlE/k3W31mKSiteB

Malware Config

Targets

    • Target

      3c9898a5c4f5d87e890669781609c1d529973757d75a18217c3fe95bacafbcb3

    • Size

      5.2MB

    • MD5

      20e57be9fa1a3c4e8141df884a0d6cee

    • SHA1

      6953c1f952e67e31a717e7ff897c5b03d49416ff

    • SHA256

      3c9898a5c4f5d87e890669781609c1d529973757d75a18217c3fe95bacafbcb3

    • SHA512

      f7daf613d7ccd70d2b5b2e51e86062a2910ea739f90825cd5a30d1cb2dcc2770988b48bac457b2bb03689ba57a153157c33798fcbdfa73b5edc4bca8be6394a3

    • SSDEEP

      98304:tws2ANnKXOaeOgmhonlEfvUMhk3eD31VMejSkxlteB:3KXbeO7GnlE/k3W31mKSiteB

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks