General

  • Target

    14ea9d41c5cecd896abbd7871bd0ff28901b63be86ceb96e86893974a80ec2ab

  • Size

    2.8MB

  • Sample

    240625-xrhdjszcrm

  • MD5

    e7e67a598a8064dfbbf5152f9aa31b48

  • SHA1

    c2f7344f4de35b7b20d13eab9fc43cb23cab5919

  • SHA256

    14ea9d41c5cecd896abbd7871bd0ff28901b63be86ceb96e86893974a80ec2ab

  • SHA512

    d7839398dfd3a41660a4b09dcc8953d9e1c00c687a7ad45b16feed2d65b0488d2d81ca490a8e491ce7f9698535f7e605e4e85bda3c67f5aba862fb4dc431db8c

  • SSDEEP

    49152:TCwsbCANnKXferL7Vwe/Gg0P+WhLopj+619:Gws2ANnKXOaeOgmhLoj

Malware Config

Targets

    • Target

      14ea9d41c5cecd896abbd7871bd0ff28901b63be86ceb96e86893974a80ec2ab

    • Size

      2.8MB

    • MD5

      e7e67a598a8064dfbbf5152f9aa31b48

    • SHA1

      c2f7344f4de35b7b20d13eab9fc43cb23cab5919

    • SHA256

      14ea9d41c5cecd896abbd7871bd0ff28901b63be86ceb96e86893974a80ec2ab

    • SHA512

      d7839398dfd3a41660a4b09dcc8953d9e1c00c687a7ad45b16feed2d65b0488d2d81ca490a8e491ce7f9698535f7e605e4e85bda3c67f5aba862fb4dc431db8c

    • SSDEEP

      49152:TCwsbCANnKXferL7Vwe/Gg0P+WhLopj+619:Gws2ANnKXOaeOgmhLoj

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks