Overview

overview

10

Static

static

3

002654万�...sx.exe

windows7-x64

10

002654万�...sx.exe

windows10-2004-x64

10

300227�...sx.exe

windows7-x64

10

300227�...sx.exe

windows10-2004-x64

10

300738�...sx.exe

windows7-x64

10

300738�...sx.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d11df82f578e668c0baa40882fbdadb344a94bd5a544fe50a4b726f2d576b653

  • Size

    326KB

  • Sample

    241105-v39k3awdjq

  • MD5

    12b3bba113cc5fac8d6d87e4ce03f4ea

  • SHA1

    7383957582d7ad17dd4b09d9ade768c2c24c4b55

  • SHA256

    d11df82f578e668c0baa40882fbdadb344a94bd5a544fe50a4b726f2d576b653

  • SHA512

    1b61801592614d57bdbe9acd6b1de9143fea38da2db4384ce95c017891705b1a7416dd4ffffd7c5613c909888afbf7eb01fee6b7dc6bfaa30be4475edd49dd57

  • SSDEEP

    6144:3UoTj7AMOxXs7r9KY0hPwakjiyUYvfyl9GCp+T0PrU/WvdJPGFTkjiyUYvfyl9Gq:3RTHAMKecYCoXUYvflCA0PrZdJ+FoXUB

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojan

Malware Config

Targets

    • Target

      002654万润科技xlsx.bat

    • Size

      224KB

    • MD5

      2bdffc0196fa8fe420d450c30d3e47f9

    • SHA1

      6751e2f6afae3c6dee6ebe82630d19e19ac7b3af

    • SHA256

      1497ef3f6249427ac349bf5178e21d9d63aacfab84327e97bfdc4149f775b9bb

    • SHA512

      cee9ef8d61f67273cd4a787754d78bbe655afa6064f3dccd9b08283a293524df98c56d2efd9c647c14f3a8c35b21971c9d51b7ede12b2617d0afd3db2d75f2b4

    • SSDEEP

      3072:NJJcpg42DhdTpmrestbnZqKFUdIAP6WokM7UbGVXTYJVJhhCVh3VoCoz7pHkQ:NQpgl1dTpgeoFYBLojUbGVOSVO7F

    Score
    10/10
    gh0stratpurplefoxdiscoverypersistenceratrootkittrojan

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      300227ϴxlsx.bat

    • Size

      224KB

    • MD5

      2bdffc0196fa8fe420d450c30d3e47f9

    • SHA1

      6751e2f6afae3c6dee6ebe82630d19e19ac7b3af

    • SHA256

      1497ef3f6249427ac349bf5178e21d9d63aacfab84327e97bfdc4149f775b9bb

    • SHA512

      cee9ef8d61f67273cd4a787754d78bbe655afa6064f3dccd9b08283a293524df98c56d2efd9c647c14f3a8c35b21971c9d51b7ede12b2617d0afd3db2d75f2b4

    • SSDEEP

      3072:NJJcpg42DhdTpmrestbnZqKFUdIAP6WokM7UbGVXTYJVJhhCVh3VoCoz7pHkQ:NQpgl1dTpgeoFYBLojUbGVOSVO7F

    Score
    10/10
    gh0stratpurplefoxdiscoverypersistenceratrootkittrojan

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      300738·xlsx.bat

    • Size

      224KB

    • MD5

      2bdffc0196fa8fe420d450c30d3e47f9

    • SHA1

      6751e2f6afae3c6dee6ebe82630d19e19ac7b3af

    • SHA256

      1497ef3f6249427ac349bf5178e21d9d63aacfab84327e97bfdc4149f775b9bb

    • SHA512

      cee9ef8d61f67273cd4a787754d78bbe655afa6064f3dccd9b08283a293524df98c56d2efd9c647c14f3a8c35b21971c9d51b7ede12b2617d0afd3db2d75f2b4

    • SSDEEP

      3072:NJJcpg42DhdTpmrestbnZqKFUdIAP6WokM7UbGVXTYJVJhhCVh3VoCoz7pHkQ:NQpgl1dTpgeoFYBLojUbGVOSVO7F

    Score
    10/10
    gh0stratpurplefoxdiscoverypersistenceratrootkittrojan

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks