General

  • Target

    0b36e5dfca5b18c3d1570f559b7bc51e129d634111e98b5762f67501b98e84f3

  • Size

    9.0MB

  • Sample

    240625-wgt4xstglg

  • MD5

    024be9fa2dfe377a6aab9c33691db05b

  • SHA1

    6f33463a05b168b5d6d6e3b7fda5679ea32fbd97

  • SHA256

    0b36e5dfca5b18c3d1570f559b7bc51e129d634111e98b5762f67501b98e84f3

  • SHA512

    1176dfc537ca9b1380cd7f54f02bacb3bdc1cbc233e79746b0aa7cedfdd0670b2c020e06703a4e60d6d2b0a2f2ffdf65f56ed7f03b61a1562f760a0601dca14c

  • SSDEEP

    196608:2WT9nO7rzX9AzutNUUwJIjCxrK0xAk4pFWJVGG7JVh:27fmitilrKKp4pFCGiR

Malware Config

Targets

    • Target

      0b36e5dfca5b18c3d1570f559b7bc51e129d634111e98b5762f67501b98e84f3

    • Size

      9.0MB

    • MD5

      024be9fa2dfe377a6aab9c33691db05b

    • SHA1

      6f33463a05b168b5d6d6e3b7fda5679ea32fbd97

    • SHA256

      0b36e5dfca5b18c3d1570f559b7bc51e129d634111e98b5762f67501b98e84f3

    • SHA512

      1176dfc537ca9b1380cd7f54f02bacb3bdc1cbc233e79746b0aa7cedfdd0670b2c020e06703a4e60d6d2b0a2f2ffdf65f56ed7f03b61a1562f760a0601dca14c

    • SSDEEP

      196608:2WT9nO7rzX9AzutNUUwJIjCxrK0xAk4pFWJVGG7JVh:27fmitilrKKp4pFCGiR

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks