Overview

overview

10

Static

static

7

WB/libcurl.dll

windows7-x64

7

WB/libcurl.dll

windows10-2004-x64

7

WB/茧火�....2.exe

windows7-x64

10

WB/茧火�....2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7796341937010110a266a127d86df0725e625d9be1c02fc4fa5dc7fe96a42598

  • Size

    1.7MB

  • Sample

    241215-19fjfs1qdp

  • MD5

    00479fec2fee0d8e6961a59456922a29

  • SHA1

    4ce8fae9a17bb00b7fc9ad073e6c3032beec3514

  • SHA256

    7796341937010110a266a127d86df0725e625d9be1c02fc4fa5dc7fe96a42598

  • SHA512

    24da0ffb16dd549badaa26feb42e883018f934ea68a210afbd45031646a9091facc41ac3419458e59f0a90bda6609a8516bb4da3ab34504cf65f31ecb62392d0

  • SSDEEP

    49152:mNa8vnCim6x4Mz9SEHM0iTnDJJZk425V/zaBM3SbawwtlA:4xWTEHMba4aBN3SbAA

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanvmprotect

Malware Config

Targets

    • Target

      WB/libcurl.dll

    • Size

      730KB

    • MD5

      21c76027249d2797f7c525826443dff9

    • SHA1

      dce966f85251255d1ced14641583d14f6c94d889

    • SHA256

      b886350941b3d0c5832e6e03b1b88e562f7b27d7a81cf36895387ab319f682e9

    • SHA512

      dba30e2c765445f2c7b56f07450b336df3ba696b51b2c3e6be88bb8698bfefb122b13406facb5a677c38b0580a7753dd28cc794f7da6aca850de6adae4d0d625

    • SSDEEP

      12288:oeeQvbf7tRlvGt0v1SROTElo+fnpwsN18RHON2l0q8hdJvV66M/wNpkR:o8nPv15GZfqsX0HON2lCL+/INW

    Score
    7/10
    discoveryvmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      WB/茧火虫用户端 V1.0.2.exe

    • Size

      2.5MB

    • MD5

      842af33f5702fa99efd8f7b235f28fcc

    • SHA1

      b841b71a4e39432f3a940ad841e74ea1686da6c9

    • SHA256

      82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

    • SHA512

      ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

    • SSDEEP

      24576:bM/RzHFf9qi5W0xSSWWECzoMuJL5KoshcfTYa6uppI1yU4AWJe5pAT0HFTLaGKfM:f6sKpETPub0J0lTuRjlH6/oPgH

    Score
    10/10
    gh0stratpurplefoxdiscoverypersistenceratrootkittrojanvmprotect

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks