General

  • Target

    df25a63400f38d007ec96370e68c8fd3481cde695b9e21ecb40e0e2379bd5e09

  • Size

    1.5MB

  • Sample

    240626-gkljma1erk

  • MD5

    303d9f46632526096b720a219ad03433

  • SHA1

    cb2467bdfaa451459daa4a5ffa3e781cae38aad1

  • SHA256

    df25a63400f38d007ec96370e68c8fd3481cde695b9e21ecb40e0e2379bd5e09

  • SHA512

    7f449d729becd52a032733f2725970260042c05daf9f590aa949cfa5988d44836dd9f082788b07987086dcf62729ead0dd142edca5ce156ab2fb788954d61f8d

  • SSDEEP

    24576:1QZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVlyrqfaVN5mmT7Kl:1QZAdVyVT9n/Gg0P+WhoZrqfovfKl

Malware Config

Targets

    • Target

      df25a63400f38d007ec96370e68c8fd3481cde695b9e21ecb40e0e2379bd5e09

    • Size

      1.5MB

    • MD5

      303d9f46632526096b720a219ad03433

    • SHA1

      cb2467bdfaa451459daa4a5ffa3e781cae38aad1

    • SHA256

      df25a63400f38d007ec96370e68c8fd3481cde695b9e21ecb40e0e2379bd5e09

    • SHA512

      7f449d729becd52a032733f2725970260042c05daf9f590aa949cfa5988d44836dd9f082788b07987086dcf62729ead0dd142edca5ce156ab2fb788954d61f8d

    • SSDEEP

      24576:1QZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVlyrqfaVN5mmT7Kl:1QZAdVyVT9n/Gg0P+WhoZrqfovfKl

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks