Overview

overview

10

Static

static

7

WB/libcurl.dll

windows7-x64

7

WB/libcurl.dll

windows10-2004-x64

7

WB/茧火�....2.exe

windows7-x64

10

WB/茧火�....2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/12/2024, 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WB/茧火虫用户端 V1.0.2.exe

  • Size

    2.5MB

  • MD5

    842af33f5702fa99efd8f7b235f28fcc

  • SHA1

    b841b71a4e39432f3a940ad841e74ea1686da6c9

  • SHA256

    82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

  • SHA512

    ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

  • SSDEEP

    24576:bM/RzHFf9qi5W0xSSWWECzoMuJL5KoshcfTYa6uppI1yU4AWJe5pAT0HFTLaGKfM:f6sKpETPub0J0lTuRjlH6/oPgH

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanvmprotect

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WB\茧火虫用户端 V1.0.2.exe
    "C:\Users\Admin\AppData\Local\Temp\WB\茧火虫用户端 V1.0.2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\libcurl.dll
    Filesize

    730KB

    MD5

    21c76027249d2797f7c525826443dff9

    SHA1

    dce966f85251255d1ced14641583d14f6c94d889

    SHA256

    b886350941b3d0c5832e6e03b1b88e562f7b27d7a81cf36895387ab319f682e9

    SHA512

    dba30e2c765445f2c7b56f07450b336df3ba696b51b2c3e6be88bb8698bfefb122b13406facb5a677c38b0580a7753dd28cc794f7da6aca850de6adae4d0d625

    Download Submit

  • memory/2320-0-0x0000000010000000-0x0000000010212000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2320-2-0x0000000002420000-0x00000000025D0000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2320-32-0x0000000010000000-0x0000000010212000-memory.dmp

    Filesize

    2.1MB

    Download