General

  • Target

    47323987dfd88140e4cd1cfd3474473e766bf7ba86a4811e7f014b93c14387d5

  • Size

    3.6MB

  • Sample

    240626-gw1spasbrj

  • MD5

    f68ce29dd1e5a736a3fe942ce1aba0ef

  • SHA1

    e168f956caf744c401d71d2706694728f8766c2a

  • SHA256

    47323987dfd88140e4cd1cfd3474473e766bf7ba86a4811e7f014b93c14387d5

  • SHA512

    c83f3b7583f1777237f52161f93ead7a4c4cd4e410c0e3f796038b0fc412eb4c752920b0197a9f56c867624880969965a747a3bbd1265542487063566d54751a

  • SSDEEP

    49152:HCwsbCANnKXferL7Vwe/Gg0P+Wh4YEVkUZI+f0M0FU:iws2ANnKXOaeOgmhakUiRFU

Malware Config

Targets

    • Target

      47323987dfd88140e4cd1cfd3474473e766bf7ba86a4811e7f014b93c14387d5

    • Size

      3.6MB

    • MD5

      f68ce29dd1e5a736a3fe942ce1aba0ef

    • SHA1

      e168f956caf744c401d71d2706694728f8766c2a

    • SHA256

      47323987dfd88140e4cd1cfd3474473e766bf7ba86a4811e7f014b93c14387d5

    • SHA512

      c83f3b7583f1777237f52161f93ead7a4c4cd4e410c0e3f796038b0fc412eb4c752920b0197a9f56c867624880969965a747a3bbd1265542487063566d54751a

    • SSDEEP

      49152:HCwsbCANnKXferL7Vwe/Gg0P+Wh4YEVkUZI+f0M0FU:iws2ANnKXOaeOgmhakUiRFU

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks