General

  • Target

    2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid

  • Size

    3.0MB

  • Sample

    241205-r7mejsyqbw

  • MD5

    7e6bbbe6f0d2afbcdab740efe8b1db6f

  • SHA1

    c3b6d18fe165dabf9b63ea394fcfe2c4cdaa8e7c

  • SHA256

    a44848c7375696bfbeedcc854d522757b99432d73d3e5d17d4e3a4c7525a89d2

  • SHA512

    78f5a011d40aed230af7d38979ddf9184bcb2d81e9da99a21e16b8b923e5405fcfcf7b90be442f72a90d083a555972db1bf3fafc1fda13af20159b953cc55010

  • SSDEEP

    98304:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQ+VnG/ws:+WT9nO71+wF/ilQ+V+ws

Malware Config

Targets

    • Target

      2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid

    • Size

      3.0MB

    • MD5

      7e6bbbe6f0d2afbcdab740efe8b1db6f

    • SHA1

      c3b6d18fe165dabf9b63ea394fcfe2c4cdaa8e7c

    • SHA256

      a44848c7375696bfbeedcc854d522757b99432d73d3e5d17d4e3a4c7525a89d2

    • SHA512

      78f5a011d40aed230af7d38979ddf9184bcb2d81e9da99a21e16b8b923e5405fcfcf7b90be442f72a90d083a555972db1bf3fafc1fda13af20159b953cc55010

    • SSDEEP

      98304:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQ+VnG/ws:+WT9nO71+wF/ilQ+V+ws

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • A potential corporate email address has been identified in the URL: icon-macOS@2x_ebb427cc.png

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks