General

  • Target

    595e8977baaa9e37be946dc6564a881e0cad1d4958285dbce4fbb617727e9ddc

  • Size

    4.9MB

  • Sample

    240625-xqax3sxbnd

  • MD5

    b2b830b49357232f37dfe390000e0317

  • SHA1

    d33ba360b90c07e881fb0fa798379af9bbc00ec1

  • SHA256

    595e8977baaa9e37be946dc6564a881e0cad1d4958285dbce4fbb617727e9ddc

  • SHA512

    a8d946dbe2013513fdf2f232d661eee483e76668f48fb30dadc4beac299666247c68a1ab31f88c2d2d82911f0071fefc2c407241608d34aa443f266faee6a9f3

  • SSDEEP

    98304:VGdVyVT9nOgmh/CDmn25bXsPN5kiQaZ56:iWT9nO70mnB5VP6

Malware Config

Targets

    • Target

      595e8977baaa9e37be946dc6564a881e0cad1d4958285dbce4fbb617727e9ddc

    • Size

      4.9MB

    • MD5

      b2b830b49357232f37dfe390000e0317

    • SHA1

      d33ba360b90c07e881fb0fa798379af9bbc00ec1

    • SHA256

      595e8977baaa9e37be946dc6564a881e0cad1d4958285dbce4fbb617727e9ddc

    • SHA512

      a8d946dbe2013513fdf2f232d661eee483e76668f48fb30dadc4beac299666247c68a1ab31f88c2d2d82911f0071fefc2c407241608d34aa443f266faee6a9f3

    • SSDEEP

      98304:VGdVyVT9nOgmh/CDmn25bXsPN5kiQaZ56:iWT9nO70mnB5VP6

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks