General

  • Target

    35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi.vir

  • Size

    37.5MB

  • Sample

    241124-mz8wcssmdr

  • MD5

    0abc6b6ea4e322a248f31125ddb8911b

  • SHA1

    26f0a5b6631e7ae1e324f8ce24eb967379f07416

  • SHA256

    35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91

  • SHA512

    364314fa2a63d53537a60a322fee9879650e653085719c5c81149037fafb12dd3bbc0e019e4a22cd3400db1c9e9bfcf637749f7efbcfed8368771dbfcd42ebe9

  • SSDEEP

    786432:TddVYfoDIf7i1q8WjTRThlXgxopO+9giU2yoLVhm+Zjh:TddVYf00pDfO+9DU2vLVVVh

Malware Config

Targets

    • Target

      35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi.vir

    • Size

      37.5MB

    • MD5

      0abc6b6ea4e322a248f31125ddb8911b

    • SHA1

      26f0a5b6631e7ae1e324f8ce24eb967379f07416

    • SHA256

      35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91

    • SHA512

      364314fa2a63d53537a60a322fee9879650e653085719c5c81149037fafb12dd3bbc0e019e4a22cd3400db1c9e9bfcf637749f7efbcfed8368771dbfcd42ebe9

    • SSDEEP

      786432:TddVYfoDIf7i1q8WjTRThlXgxopO+9giU2yoLVhm+Zjh:TddVYf00pDfO+9DU2vLVVVh

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks