General

  • Target

    5f2b3438fc7769eb3127d2aac01d3aafb984fa51178ae3142357fc47fe7fce27

  • Size

    9.2MB

  • Sample

    240625-xl8csazaqj

  • MD5

    ade4ede47c7b31c73589eb70adbc9c03

  • SHA1

    8a2752e8acf4c59035a7b11dac29a47247f547ef

  • SHA256

    5f2b3438fc7769eb3127d2aac01d3aafb984fa51178ae3142357fc47fe7fce27

  • SHA512

    a31d83f275d7e7b966a346841117075e4bf63113a8da391c6aebb922003e1bb18e6d87061eacc0e3e22f295d4155a12a949d52a81f0dcd74bd31eabbc73421a3

  • SSDEEP

    196608:JKXbeO74Bsmd3Ao513qQd0PmlbyBg8VTtBKALX3h:K74BsmFAoDhyxB7R

Malware Config

Targets

    • Target

      5f2b3438fc7769eb3127d2aac01d3aafb984fa51178ae3142357fc47fe7fce27

    • Size

      9.2MB

    • MD5

      ade4ede47c7b31c73589eb70adbc9c03

    • SHA1

      8a2752e8acf4c59035a7b11dac29a47247f547ef

    • SHA256

      5f2b3438fc7769eb3127d2aac01d3aafb984fa51178ae3142357fc47fe7fce27

    • SHA512

      a31d83f275d7e7b966a346841117075e4bf63113a8da391c6aebb922003e1bb18e6d87061eacc0e3e22f295d4155a12a949d52a81f0dcd74bd31eabbc73421a3

    • SSDEEP

      196608:JKXbeO74Bsmd3Ao513qQd0PmlbyBg8VTtBKALX3h:K74BsmFAoDhyxB7R

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks