General

  • Target

    c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36

  • Size

    5.6MB

  • Sample

    240625-xp4h1axbmd

  • MD5

    1a41b3ba2b280071d3f82162f0d13e76

  • SHA1

    3427b33f7d99f1291a2a30d4eae998b8883f257c

  • SHA256

    c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36

  • SHA512

    1cacf0d09bc130923d6608787613f4971029df1a088419c129478e954f67f7204002eef5530686d07db40def674ac15a0fb6e601f2941221cf7c9a9e83aaa49f

  • SSDEEP

    98304:Cws2ANnKXOaeOgmhuitV0BPRbjbLgCRi7OnYZ0bYy7qUI1eV5QQkBSlUbsPLUoJ8:YKXbeO7XtWBRnRpYyb7uv18kBSGbsr

Malware Config

Targets

    • Target

      c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36

    • Size

      5.6MB

    • MD5

      1a41b3ba2b280071d3f82162f0d13e76

    • SHA1

      3427b33f7d99f1291a2a30d4eae998b8883f257c

    • SHA256

      c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36

    • SHA512

      1cacf0d09bc130923d6608787613f4971029df1a088419c129478e954f67f7204002eef5530686d07db40def674ac15a0fb6e601f2941221cf7c9a9e83aaa49f

    • SSDEEP

      98304:Cws2ANnKXOaeOgmhuitV0BPRbjbLgCRi7OnYZ0bYy7qUI1eV5QQkBSlUbsPLUoJ8:YKXbeO7XtWBRnRpYyb7uv18kBSGbsr

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks