Resubmissions

08-12-2024 19:05

241208-xrpgvsslct 10

08-12-2024 18:57

241208-xl4plaxjdr 10

General

  • Target

    2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid

  • Size

    3.0MB

  • Sample

    241208-xrpgvsslct

  • MD5

    7091ef9191eae2ef9fba1acd659f916d

  • SHA1

    3d2cd6a23c64fb57b07e517d00854bbde43bf0ea

  • SHA256

    7f68f7239f7f8ea8d9be6de86e869a508096d6da0c2e02f57520f0959018930c

  • SHA512

    faac00de734b6d85150570c648e29057b3e80811e3415732b7d65c039109a6bb5cb0b68bb345ae32f6f510ae2d283094879b9a10a5c99eaba456bf318c4c3437

  • SSDEEP

    49152:oQZAdVyVT9n/Gg0P+WhognG/wNCYnTC+vOuCsJwJ2k+s9pk+mcnG/wVUNQ3u:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQr

Malware Config

Targets

    • Target

      2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid

    • Size

      3.0MB

    • MD5

      7091ef9191eae2ef9fba1acd659f916d

    • SHA1

      3d2cd6a23c64fb57b07e517d00854bbde43bf0ea

    • SHA256

      7f68f7239f7f8ea8d9be6de86e869a508096d6da0c2e02f57520f0959018930c

    • SHA512

      faac00de734b6d85150570c648e29057b3e80811e3415732b7d65c039109a6bb5cb0b68bb345ae32f6f510ae2d283094879b9a10a5c99eaba456bf318c4c3437

    • SSDEEP

      49152:oQZAdVyVT9n/Gg0P+WhognG/wNCYnTC+vOuCsJwJ2k+s9pk+mcnG/wVUNQ3u:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQr

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks