General

  • Target

    afb8cb9a130ec071d62cc21b34e4e82f8e88cf5e6c666f9330553993faef1088

  • Size

    2.4MB

  • Sample

    240625-xc7pwsyflr

  • MD5

    9e293d84bef44881bbdd8641eb6140d0

  • SHA1

    930f1ba63442dae8d81376d726ee49527af31a99

  • SHA256

    afb8cb9a130ec071d62cc21b34e4e82f8e88cf5e6c666f9330553993faef1088

  • SHA512

    ba9eb367820f344c1c0da66df7153429d045abc93ee0789a46a293a7b70175fca847c78f87327566d573f69f6d2c03097b9ee7f307ec3c299295564b5d9c40c9

  • SSDEEP

    49152:BCwsbCANnKXferL7Vwe/Gg0P+WhnatTS2:sws2ANnKXOaeOgmhatTS2

Malware Config

Targets

    • Target

      afb8cb9a130ec071d62cc21b34e4e82f8e88cf5e6c666f9330553993faef1088

    • Size

      2.4MB

    • MD5

      9e293d84bef44881bbdd8641eb6140d0

    • SHA1

      930f1ba63442dae8d81376d726ee49527af31a99

    • SHA256

      afb8cb9a130ec071d62cc21b34e4e82f8e88cf5e6c666f9330553993faef1088

    • SHA512

      ba9eb367820f344c1c0da66df7153429d045abc93ee0789a46a293a7b70175fca847c78f87327566d573f69f6d2c03097b9ee7f307ec3c299295564b5d9c40c9

    • SSDEEP

      49152:BCwsbCANnKXferL7Vwe/Gg0P+WhnatTS2:sws2ANnKXOaeOgmhatTS2

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks