General

  • Target

    0eeeabfa4de6361f05fe4db5b8c026801f89cd87674076ba6dcc39c38bba8341

  • Size

    4.4MB

  • Sample

    240626-gtn14ssaqp

  • MD5

    73ea010011d186a1a338f3a0755aa069

  • SHA1

    18178c54d68c7d3cb4fe27ced21363a65d63dbf0

  • SHA256

    0eeeabfa4de6361f05fe4db5b8c026801f89cd87674076ba6dcc39c38bba8341

  • SHA512

    d490c4a74228d07cedae50e4557f7e1dfa37c48f8557ac5295abb27563f0a41d1509272a1a781c4444950d4bc8e356e7a13aba031cddcc8852fee378c078a70e

  • SSDEEP

    98304:Uws2ANnKXOaeOgmh82x8/OmAlEMudO23f:CKXbeO7bEA2P

Malware Config

Targets

    • Target

      0eeeabfa4de6361f05fe4db5b8c026801f89cd87674076ba6dcc39c38bba8341

    • Size

      4.4MB

    • MD5

      73ea010011d186a1a338f3a0755aa069

    • SHA1

      18178c54d68c7d3cb4fe27ced21363a65d63dbf0

    • SHA256

      0eeeabfa4de6361f05fe4db5b8c026801f89cd87674076ba6dcc39c38bba8341

    • SHA512

      d490c4a74228d07cedae50e4557f7e1dfa37c48f8557ac5295abb27563f0a41d1509272a1a781c4444950d4bc8e356e7a13aba031cddcc8852fee378c078a70e

    • SSDEEP

      98304:Uws2ANnKXOaeOgmh82x8/OmAlEMudO23f:CKXbeO7bEA2P

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks