General
-
Target
ChromeSetupz.5516.25.msi.vir
-
Size
20.2MB
-
Sample
241118-lxswpaypgp
-
MD5
92f66429d4ad77c68f77060cb18dcce0
-
SHA1
cde034910f4ad24df46f6bc7e4e6d467ac8baa31
-
SHA256
08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
-
SHA512
de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7
-
SSDEEP
393216:0Q0Frf5krXSujs/7rYMB6z4GGFTfuN0+O6r7a7n25K5Q0quXbenFJldPYjzhEiA8:0Q05JQs/gZzdGFyHre7n250PbenFtPQl
Malware Config
Targets
-
-
Target
ChromeSetupz.5516.25.msi.vir
-
Size
20.2MB
-
MD5
92f66429d4ad77c68f77060cb18dcce0
-
SHA1
cde034910f4ad24df46f6bc7e4e6d467ac8baa31
-
SHA256
08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
-
SHA512
de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7
-
SSDEEP
393216:0Q0Frf5krXSujs/7rYMB6z4GGFTfuN0+O6r7a7n25K5Q0quXbenFJldPYjzhEiA8:0Q05JQs/gZzdGFyHre7n250PbenFtPQl
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
6Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1