General

  • Target

    c9e4d8e75ac6811227b9ffbce4562932f8bfc9a3f68a9c95dfb6d263d0a987a5

  • Size

    3.1MB

  • Sample

    240625-xnjr7sxapb

  • MD5

    7ea55d12e2f36807983b10538e781380

  • SHA1

    38577becca0f5364218d2129e3e44329dbd8f396

  • SHA256

    c9e4d8e75ac6811227b9ffbce4562932f8bfc9a3f68a9c95dfb6d263d0a987a5

  • SHA512

    bec26b1484d926392aedeb6fb02312fd2d7d0607a77e32906b24ee47907df88c493f0f18b0f0a5d569dd537c0dc23d0a5df02807faa5df32d3f7ecf5e7655997

  • SSDEEP

    49152:XCwsbCANnKXferL7Vwe/Gg0P+WhzlRVZK89d4h+RiS+taLq:Sws2ANnKXOaeOgmhzlRVZK8j4AKtaLq

Malware Config

Targets

    • Target

      c9e4d8e75ac6811227b9ffbce4562932f8bfc9a3f68a9c95dfb6d263d0a987a5

    • Size

      3.1MB

    • MD5

      7ea55d12e2f36807983b10538e781380

    • SHA1

      38577becca0f5364218d2129e3e44329dbd8f396

    • SHA256

      c9e4d8e75ac6811227b9ffbce4562932f8bfc9a3f68a9c95dfb6d263d0a987a5

    • SHA512

      bec26b1484d926392aedeb6fb02312fd2d7d0607a77e32906b24ee47907df88c493f0f18b0f0a5d569dd537c0dc23d0a5df02807faa5df32d3f7ecf5e7655997

    • SSDEEP

      49152:XCwsbCANnKXferL7Vwe/Gg0P+WhzlRVZK89d4h+RiS+taLq:Sws2ANnKXOaeOgmhzlRVZK8j4AKtaLq

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks