General

  • Target

    b03282675f1e6d20af65c27581d892f40eaa6bbc33f73fbd573194114ca4d195

  • Size

    5.5MB

  • Sample

    240625-xd334ayfrj

  • MD5

    2fce24af69895c38a7443acc52f6de3d

  • SHA1

    bf3af1505c1c9f204114d29271c6c8ce6a42b6f0

  • SHA256

    b03282675f1e6d20af65c27581d892f40eaa6bbc33f73fbd573194114ca4d195

  • SHA512

    c3f1eb1506bdc59b973e958c1d006f2af8102cf5e3f1c0501a729812596cec7e9c0625ea8e3f84e50a6aeaa1918382dd5b266553b836a451270231a3c416ed94

  • SSDEEP

    98304:9ws2ANnKXOaeOgmhMnlEXKRDjAlmKwyXLp5t8teB:nKXbeO7enlE6WPjXLp5t8teB

Malware Config

Targets

    • Target

      b03282675f1e6d20af65c27581d892f40eaa6bbc33f73fbd573194114ca4d195

    • Size

      5.5MB

    • MD5

      2fce24af69895c38a7443acc52f6de3d

    • SHA1

      bf3af1505c1c9f204114d29271c6c8ce6a42b6f0

    • SHA256

      b03282675f1e6d20af65c27581d892f40eaa6bbc33f73fbd573194114ca4d195

    • SHA512

      c3f1eb1506bdc59b973e958c1d006f2af8102cf5e3f1c0501a729812596cec7e9c0625ea8e3f84e50a6aeaa1918382dd5b266553b836a451270231a3c416ed94

    • SSDEEP

      98304:9ws2ANnKXOaeOgmhMnlEXKRDjAlmKwyXLp5t8teB:nKXbeO7enlE6WPjXLp5t8teB

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks