General

  • Target

    9f8631ee66a57a41c76194b45dc0c8d475d3ee675fe1fdd1ebe3f665df40cbd6

  • Size

    15.1MB

  • Sample

    240625-xdmq4syfpj

  • MD5

    a7103264343757f22394356959c80823

  • SHA1

    07eeee107efc87de12e3b515dfaec0f64eed0a2f

  • SHA256

    9f8631ee66a57a41c76194b45dc0c8d475d3ee675fe1fdd1ebe3f665df40cbd6

  • SHA512

    32c0484377f548539c636bedc117230621e52d56116364bb9bf403477963f6c87c626406212fe79a969dc7dbca2e68be018cb4ebc95e46ad5789251f806b2012

  • SSDEEP

    393216:Y7c6KcThkIRWwE2r6KWq84yUM7TOCLWq:YblhDx6KWqQUc6aWq

Malware Config

Targets

    • Target

      9f8631ee66a57a41c76194b45dc0c8d475d3ee675fe1fdd1ebe3f665df40cbd6

    • Size

      15.1MB

    • MD5

      a7103264343757f22394356959c80823

    • SHA1

      07eeee107efc87de12e3b515dfaec0f64eed0a2f

    • SHA256

      9f8631ee66a57a41c76194b45dc0c8d475d3ee675fe1fdd1ebe3f665df40cbd6

    • SHA512

      32c0484377f548539c636bedc117230621e52d56116364bb9bf403477963f6c87c626406212fe79a969dc7dbca2e68be018cb4ebc95e46ad5789251f806b2012

    • SSDEEP

      393216:Y7c6KcThkIRWwE2r6KWq84yUM7TOCLWq:YblhDx6KWqQUc6aWq

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks