General

  • Target

    2024-06-26_417eb68d6af1b213c5411e3bc846efd6_icedid_poet-rat

  • Size

    10.4MB

  • Sample

    240626-glk99a1fln

  • MD5

    417eb68d6af1b213c5411e3bc846efd6

  • SHA1

    56e24e7fbc067629fa9db2cdf456aad5aa625792

  • SHA256

    27f1fc259d27049c298e8b287989eab305eb491cee1720c7e1e0234a35ef39c3

  • SHA512

    edede6573891c85d572de32a8e4fa991479a31560af9614d25455774dd3e1eaf7ebe7b4e66f6d5abfd49340ff6be2cde26dce86668938a3a29311cf8bcf8465a

  • SSDEEP

    196608:5y2LkXEQJHwBWbQrdQ8rvsluv67amrYn/BjOETSJA4:cDxbQrdQllv7Y/oH

Malware Config

Targets

    • Target

      2024-06-26_417eb68d6af1b213c5411e3bc846efd6_icedid_poet-rat

    • Size

      10.4MB

    • MD5

      417eb68d6af1b213c5411e3bc846efd6

    • SHA1

      56e24e7fbc067629fa9db2cdf456aad5aa625792

    • SHA256

      27f1fc259d27049c298e8b287989eab305eb491cee1720c7e1e0234a35ef39c3

    • SHA512

      edede6573891c85d572de32a8e4fa991479a31560af9614d25455774dd3e1eaf7ebe7b4e66f6d5abfd49340ff6be2cde26dce86668938a3a29311cf8bcf8465a

    • SSDEEP

      196608:5y2LkXEQJHwBWbQrdQ8rvsluv67amrYn/BjOETSJA4:cDxbQrdQllv7Y/oH

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • UPX dump on OEP (original entry point)

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks