General
-
Target
2345pic_x64.msi
-
Size
79.4MB
-
Sample
241112-2c6j2ssfnp
-
MD5
fe984489b63aa7cd7aee6c48fe69e08d
-
SHA1
b5cac8c66311b7601e0ef2a1d134bf06a8079497
-
SHA256
092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
-
SHA512
806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92
-
SSDEEP
1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S
Malware Config
Targets
-
-
Target
2345pic_x64.msi
-
Size
79.4MB
-
MD5
fe984489b63aa7cd7aee6c48fe69e08d
-
SHA1
b5cac8c66311b7601e0ef2a1d134bf06a8079497
-
SHA256
092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
-
SHA512
806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92
-
SSDEEP
1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Installer Packages
1