General

  • Target

    2379f525e0da1da19cbdccfb00409b396f89863ee7864ec74dab8490cb1218be

  • Size

    1.2MB

  • Sample

    241118-xrfjysshlb

  • MD5

    f5c9481628c5f9516ccea876616c9109

  • SHA1

    311875bcff7bf493aa27fddbbb8643c910f642f1

  • SHA256

    2379f525e0da1da19cbdccfb00409b396f89863ee7864ec74dab8490cb1218be

  • SHA512

    0bd2ce9108e5633c7122a9c5c54896fdaea62d11012e84f05205a35cef6b1d95028d3d2774302a3ae4d9f848d767b1eb9fd80b0d8d6eaf34fbfd2d49d78167c5

  • SSDEEP

    24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtix:WIwgMEuy+inDfp3/XoCw57XYBwKx

Malware Config

Targets

    • Target

      2379f525e0da1da19cbdccfb00409b396f89863ee7864ec74dab8490cb1218be

    • Size

      1.2MB

    • MD5

      f5c9481628c5f9516ccea876616c9109

    • SHA1

      311875bcff7bf493aa27fddbbb8643c910f642f1

    • SHA256

      2379f525e0da1da19cbdccfb00409b396f89863ee7864ec74dab8490cb1218be

    • SHA512

      0bd2ce9108e5633c7122a9c5c54896fdaea62d11012e84f05205a35cef6b1d95028d3d2774302a3ae4d9f848d767b1eb9fd80b0d8d6eaf34fbfd2d49d78167c5

    • SSDEEP

      24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtix:WIwgMEuy+inDfp3/XoCw57XYBwKx

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks