General

  • Target

    3fe11dd80f9dd457a6e5e92ae8c1fba57ff87fc28cb0f62c3d37e8c9e2b5fb60

  • Size

    6.5MB

  • Sample

    240625-xmmgpszarn

  • MD5

    6fdc8c71a95206d7746fb05b29b41e46

  • SHA1

    3f85b684053024e2a0b1dd525ef7808bc564a4a6

  • SHA256

    3fe11dd80f9dd457a6e5e92ae8c1fba57ff87fc28cb0f62c3d37e8c9e2b5fb60

  • SHA512

    97f6adce1145b595ba37ea7800cd1a717427f541577419ef2c31f3829b624b1555f735fd62115e1abcbe57b7ad3853a1bf6f211cdf08ab737a3b275219f5e9b5

  • SSDEEP

    98304:yws2ANnKXOaeOgmhDsbltXkUt8hD3vZerXSFSYGBDVfSXNiu0fEL8t:oKXbeO7+JtpadW2xlkueEL8t

Malware Config

Targets

    • Target

      3fe11dd80f9dd457a6e5e92ae8c1fba57ff87fc28cb0f62c3d37e8c9e2b5fb60

    • Size

      6.5MB

    • MD5

      6fdc8c71a95206d7746fb05b29b41e46

    • SHA1

      3f85b684053024e2a0b1dd525ef7808bc564a4a6

    • SHA256

      3fe11dd80f9dd457a6e5e92ae8c1fba57ff87fc28cb0f62c3d37e8c9e2b5fb60

    • SHA512

      97f6adce1145b595ba37ea7800cd1a717427f541577419ef2c31f3829b624b1555f735fd62115e1abcbe57b7ad3853a1bf6f211cdf08ab737a3b275219f5e9b5

    • SSDEEP

      98304:yws2ANnKXOaeOgmhDsbltXkUt8hD3vZerXSFSYGBDVfSXNiu0fEL8t:oKXbeO7+JtpadW2xlkueEL8t

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks