General

  • Target

    WPS_Setup.msi.vir

  • Size

    242.9MB

  • Sample

    241119-d7txqszbqb

  • MD5

    3255760e78b6d9dd1ecdd6d4c31b2625

  • SHA1

    fa10fb8c29029fedf846d88ab3aba3870056f287

  • SHA256

    84eff4cdf5c39f9979e8d1434ab7e0472ca710bdcf0a5d4db920732386e31957

  • SHA512

    2bb0e5bec54a840620758b530d09c4fade7fe3136938302e0388fb172af703a665425dfd50e94c5591177957c28cd9bc5899f5380e206ab61de1484ff9f3ccdd

  • SSDEEP

    6291456:lLKBfaA+iLH02im/1aOUiWuXsiHDqzGw4VQ:lLWfadiL1B/1/UZucfzT4

Malware Config

Targets

    • Target

      WPS_Setup.msi.vir

    • Size

      242.9MB

    • MD5

      3255760e78b6d9dd1ecdd6d4c31b2625

    • SHA1

      fa10fb8c29029fedf846d88ab3aba3870056f287

    • SHA256

      84eff4cdf5c39f9979e8d1434ab7e0472ca710bdcf0a5d4db920732386e31957

    • SHA512

      2bb0e5bec54a840620758b530d09c4fade7fe3136938302e0388fb172af703a665425dfd50e94c5591177957c28cd9bc5899f5380e206ab61de1484ff9f3ccdd

    • SSDEEP

      6291456:lLKBfaA+iLH02im/1aOUiWuXsiHDqzGw4VQ:lLWfadiL1B/1/UZucfzT4

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks