General

  • Target

    9e364ccf2384a19973de23c0b730e50a84a250f915e09253e77740baa69eb9bb

  • Size

    10.9MB

  • Sample

    241118-k3a3dssqgt

  • MD5

    9f01ccb1587ba4b9009d6ce0d333e143

  • SHA1

    19c95a4a08dcbdfdfa70af09b14ee5dff05d3788

  • SHA256

    9e364ccf2384a19973de23c0b730e50a84a250f915e09253e77740baa69eb9bb

  • SHA512

    7ddb1ce1c23060d1a72f75e06fa85b579ed179f72d05e5915b8924b38149ea4e4737490dd1e6305a651298aa0cc058f12750fa8591e8217f71caa51d8be11308

  • SSDEEP

    196608:vYPJdcE4G1fCTcT0RTmpwYk5vdQ2ypCVyn1qoKQoumCbi9if6VdJh1AqKups1oD:UAG1f4cwdmFfnUoKQoxYSVdNAqKui1M

Malware Config

Targets

    • Target

      Bin1799/Cache/Install.dat

    • Size

      1.3MB

    • MD5

      994833f27702b917503b94433959cf4d

    • SHA1

      6eaed7dcfbf90e248ed1b332a2cce69bdff0c7e4

    • SHA256

      9c065cfffadffd4ccf992fc0cddc725d72989f187b8d9f296e0f373b896c8a94

    • SHA512

      d46b6efabba82d09c19c5ed01458eab48a6d828552161db994fded170ef64a33b3139db360b5d7cb82a3c1ec1ac383b80e79a8898ca6d8446a76464d63ef7eed

    • SSDEEP

      24576:2zJjphgxfmGkBAyENVSlXhQDqfZPyJBhBMpYG8:2zHaxom+WrKYG

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Target

      Bin1799/Client.exe

    • Size

      6.4MB

    • MD5

      3ea0814ab437a2774715a017289f32e7

    • SHA1

      7de855de88853661570379bbc462cd0629a89d6e

    • SHA256

      cf5fd9e1027a8d18fcd4b7a8ed2c2e9ff42649185bebf702d4dc85160a5af688

    • SHA512

      5f2c95c6a6cb0660fc13652d463f736e8fe053740c6043015176d90d54be3a3462ad9bafcee25cb757da7aaba1cf23ff89f6ddb08b059bebc60f78bdf1f24f81

    • SSDEEP

      98304:UiMF2kiCaBKBoB5gXngUD4ruTfUDFtE5LsnsQa45:UiaWKGBapD4ruT8DFtE5LsnsQR

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Bin1799/Plugins/Baidu.html

    • Size

      2KB

    • MD5

      56c6f441c524664e50b5584a3784787b

    • SHA1

      4b0437a2c17c543cb3783e6f213d32af32b1a87b

    • SHA256

      75b58a5c8872304cac818e870ab06a967f4fd5ed682320c16622949c3c15857e

    • SHA512

      42a06b4880899432dfe7002719206e3e2c2364d83bc5772fb8505296be8d82a6bf0f31ed08785e4b7afe8910bbf06d8d6453c16ee6f4d0836acc6c80f44e588a

    Score
    3/10
    • Target

      Bin1799/Plugins/BaiduE.html

    • Size

      280B

    • MD5

      77559f9c53cbf5bb2e736cfe579282eb

    • SHA1

      8129beb248002ef82f2fa57f697acca89b68d0a4

    • SHA256

      20912c61f079aef14db0e95c0b758263b6db0de0e395bf82a5782c61f7a23fc6

    • SHA512

      fbd24387227e1fc7489c54fd4a6f20d692450aaea4417b26a8169df7cf82133bfc3d26b18356b4e23c82c5fd4af17f019b103fcb8b7ebd95204a281f7579f56a

    Score
    3/10
    • Target

      Bin1799/Plugins/Gaode.html

    • Size

      1KB

    • MD5

      9d9a8c9fcaa08607f615642cbbc29125

    • SHA1

      953ed046d3583fee6f9558b3146310e77e4c3613

    • SHA256

      64a05ce511f9a49b2c19748fc5a955897a0d7f0fd10905dd4fe60c7d16c688a9

    • SHA512

      b251069b6e9accdf8450587b65eaf6c21bc03be916380e251f213ea919088aac97198dd75fa36047ab772adf77862b0893914800071e930f4da211a67c67e1ce

    Score
    3/10
    • Target

      Bin1799/Plugins/GaodeE.html

    • Size

      280B

    • MD5

      61b5cba92086a8083269f226243ccc14

    • SHA1

      14af3d49f5ff04ece87aca21bcdcfb7a843dbc48

    • SHA256

      50bb720dc114cf562e7ac6cb34f003589c4ae227d9a4efaf5db4e3fe5a1725f8

    • SHA512

      5f9fcc73d7f83d56bb67a3c8f765a05b162309436feb9ba97f6f7e5e45ed0f8fadafcc1068f02064f8bba010b3f6918003f47f405c2fd6c60f7fac450f3d2b9f

    Score
    3/10
    • Target

      Bin1799/Plugins/GetPswd32.exe

    • Size

      731KB

    • MD5

      6d17bb7e8958d4927296261af95b4cd3

    • SHA1

      1f598160904b136c8b2ac4cf9a0f2aa7358ab861

    • SHA256

      59f9bb49b41f3206b60b4d479000bf9fff7ef73fb1fda55b2eb13231482c8c22

    • SHA512

      c58f2abdc50c33c37534730502ae09df39a0e7d3ae9cd38dfd16d363e4f0e80e6b0193eb44b61bdf8cfa9ebae221d3bdb9a47a6efb9a393dd1360296c1a12f1e

    • SSDEEP

      12288:Gh3/4Ec7oDbB1iU5nF3c9HGNKrH0wOv+zRjhva+yLnXKlXh2:G2Ec7CL5F3zKrHvOv+zL4Ln6v2

    Score
    3/10
    • Target

      Bin1799/Plugins/GetPswd64.exe

    • Size

      905KB

    • MD5

      50300de5e4786530ea603224ccbcbb02

    • SHA1

      d343b0019084de2dd882e92a79a872370bc6028f

    • SHA256

      23a243a1ce474c4da90b1003ffcbaf9a3ff25e0787844bfe74c21671fdd8b269

    • SHA512

      a41f0e2140046d1074e444881e7b23f3ba79e304acca4df25dcdb522e0a1ef21b5e64245748d359cad18e4966d76fe622cbc8f542ee1cf2a38f9de5971398b8c

    • SSDEEP

      12288:XulOcf0V9D412xvPU/zXaBlWzrXp1URanmlWnD2Rviv8gxFx:XulOcsV9DK2J2aBcpsam5RvikgR

    Score
    1/10
    • Target

      Bin1799/Plugins/IPUpdate.exe

    • Size

      918KB

    • MD5

      450c4149f3f5df5d5024437b49846a64

    • SHA1

      477b9804b1092a99247b0114be3cc95f8d2d2f9d

    • SHA256

      c34e57f55c88fe2d7c5036e82b24c985a55919e116f02adccdd07e4c480f5bf0

    • SHA512

      6861fa968876f75a57076c454598777a0d45347b66df81f31e06147eb57f78c3637eb69bd7488445ce05b0583fcf034c590ccfcf0031f368c786ca3241e66e39

    • SSDEEP

      24576:X2sRudQkqPU1bei/m333afTWdLZdZfWZdZfCZdZfepg:XC+XSB+HqTWdLZTfWZTfCZTf/

    Score
    3/10
    • Target

      Bin1799/Plugins/PcLock.exe

    • Size

      573KB

    • MD5

      91f6d17d7ba629cbfd949c26b6d15982

    • SHA1

      aa16a91fd32d634560adf8242353b545de8ba8b4

    • SHA256

      1bdbb2927c50e99ab1f61930d80e46afb3b77ccd1c30d3f95342e75650159295

    • SHA512

      a02476aea31393e8aefef61732e60c37568bebaa614414d928bdcfff2f2f29a09f485267c9bc4e5a8aa4b7b8f31262bf8629bb9da89d1c19c596e3d400d31d08

    • SSDEEP

      12288:sX5isPFzLIv1MokGAf0ka3H7HSR8wEwux:A8stlGAf+H7HKEx

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Bin1799/Plugins/ShellCode.bat

    • Size

      569B

    • MD5

      8cd7ab4e93011f62c0ffb49550f953d2

    • SHA1

      70aac31a1a5be483ec1a7909b5f50efaeee27bc1

    • SHA256

      81e626258fdd763b3e2aa53d98070d7cbcba2e5ed80e0eb535d9707d8c9f7083

    • SHA512

      90a458dafd2aa61dd3ab1ba9f6a0f653c52f5190755f17eebee70d5dec44081d417f1a32e35fb0ddae42afb7808da906b2dfdc0f84d89b90dbe477310dd08d86

    Score
    10/10
    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • Target

      Bin1799/Plugins/ShellCode.exe

    • Size

      48KB

    • MD5

      48d69d71ba46f637d29909b3f1d3f662

    • SHA1

      7ba3e41427dc004189021bfb3124cd3b4040986c

    • SHA256

      32252e055c788f2424f915f4b89826bb249d98e003c29828fe6c34c0dcae6ba7

    • SHA512

      443b66bac5d74a1beb50f040833ac32bc9c22c54331a0a71d14775e1ee2b86a7b19114200a653769ba01aed687c56f1cf241b9a72760dc3013efb5b71417b7ad

    • SSDEEP

      384:OF5HUh5h39WoJgNFqb+wSgaVg7UCbSh0epVgzEvti4nRyKAcbQrWt2uq7QcH:80FbSjqb+UygXOZNRsyQSt2uq7Qc

    Score
    3/10
    • Target

      Bin1799/Plugins/bPluginVideo.dll

    • Size

      500KB

    • MD5

      72b1f5ab2e745b3ad06f07a4a8d6b5c5

    • SHA1

      a917f45570d05378a64dd07d766f93eab40491d2

    • SHA256

      0e7a76ebaaa4ea07bfd2cffb4be73f4c0c12f7ca2886ff9d980fa343c097a9d1

    • SHA512

      a059c5f1fdf6f13abc751b04201044767a2c7668b076b00d53203123a94b81a3bf05fa7a12c751fafa3ac34a4f8ed4703e527b49cb4ea68b5a4e78bd599fc96c

    • SSDEEP

      12288:kHOrJlp74eNt8Mp2XStzG5jwG0vgzVzXpnHveCQ:JJMeNGMp2CtzNgzVzXpnHveCQ

    Score
    1/10
    • Target

      Bin1799/Plugins/mstscax.dll

    • Size

      640KB

    • MD5

      b202b160c128ccb5265082a94ee01a6c

    • SHA1

      240dac2b308caccfdd0240acf036934e135a63d0

    • SHA256

      c9f554d83c6c3e02d0baccc1c2124112390e57136072b8282ae24c04e4796694

    • SHA512

      cd6b618a3b2ecb07999a56b08932486a081ec8d9e37558bc1fcf6970bf44989a81ac2ec59328596c9395b91b7e159bc8cdcbdcc03fd213b982d84ee6bf7f3f05

    • SSDEEP

      12288:qUtkfbJmi+xthCKKdo7QqkJHXab7c69fEmIwTs:WbJh+Qkc0EwT

    Score
    3/10
    • Target

      Bin1799/Plugins/termsrv_t.dll

    • Size

      210KB

    • MD5

      a77219a971029dc2fb683e8513713803

    • SHA1

      1c456520a7b7faf71900c71167038185f5a7d312

    • SHA256

      1eba9a909641e64e935090956b03182335d298cad78052cef3b3f75691eb3f50

    • SHA512

      06c8a1ce76f1600e2c791f9e634f9559c82948d0f7cc93648981476191e4c9f36cb5ee4148ee1fe94960e7275fc9d61550cab6ea0a43e783a0b7819764fd6215

    • SSDEEP

      3072:PtNuBp/YIDqobOlqVLBBjAg79G1T65ZF8p5LGvPEDRRQLUMPZU2GdH8CN9uiecd:PtNuBSID4AVdVAWF8p5L2ECPZzCN1

    Score
    3/10
    • Target

      Bin1799/SkinH.dll

    • Size

      89KB

    • MD5

      205e3693cb24b95018eaee62af86ae03

    • SHA1

      038749709bb472031c000557e57857222619dcd5

    • SHA256

      4954323e4532552e5b3691986d579fdce8ebe60b6ec1eb049658103e05c9d52d

    • SHA512

      4115d76eb964e8c84810ca1cb7758c74ef80d99168f38fb9ce036cea58f69b6579eabc16527b529a7f390f220d71952cbbcda84d20a05ef881714cf2c9a645cf

    • SSDEEP

      1536:i0FjTj6ETvveOsaXY9oq6e8+NUUramdPlVoCi2l3PgCfHmYWmqh0NAGNYyq98M0/:i26aHJsa/qRU4h3PHfYmqOYz2ETOFdCY

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

static1

upxmimikatz
Score
10/10

behavioral1

gh0stratpurplefoxdiscoveryratrootkittrojan
Score
10/10

behavioral2

gh0stratpurplefoxdiscoveryratrootkittrojan
Score
10/10

behavioral3

discoveryupx
Score
5/10

behavioral4

discoveryupx
Score
5/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discoveryupx
Score
5/10

behavioral20

discoveryupx
Score
5/10

behavioral21

gh0stratrat
Score
10/10

behavioral22

gh0stratdiscoveryrat
Score
10/10

behavioral23

Score
1/10

behavioral24

discovery
Score
3/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discoveryupx
Score
5/10

behavioral32

discoveryupx
Score
5/10