General
-
Target
2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer
-
Size
4.6MB
-
Sample
241215-zrhenaxjat
-
MD5
e0bfdf2dc967cb0614ae05f4de146e1b
-
SHA1
c32a58bc3bfd426df9000796f91799b4fd7a62de
-
SHA256
9ae268c84c2dc7ce1fd9c7069cf5ae1de8b3dd681116c28c8d143fe97d482b3a
-
SHA512
a5286e4ccd2b41c884d54f68eb36982e740b68d666167a56ff7671fd71560b97015c3f4f50cda4af5a26c602b62fe03e05099458f4ca20a3040e6b1b04cedb97
-
SSDEEP
98304:7ws2ANBKXOaeOgmhwWIO0H7+ZUX8ZqvOd/cV/20V5hkgk/J:dYXbeO7gH7d2YVm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer
-
Size
4.6MB
-
MD5
e0bfdf2dc967cb0614ae05f4de146e1b
-
SHA1
c32a58bc3bfd426df9000796f91799b4fd7a62de
-
SHA256
9ae268c84c2dc7ce1fd9c7069cf5ae1de8b3dd681116c28c8d143fe97d482b3a
-
SHA512
a5286e4ccd2b41c884d54f68eb36982e740b68d666167a56ff7671fd71560b97015c3f4f50cda4af5a26c602b62fe03e05099458f4ca20a3040e6b1b04cedb97
-
SSDEEP
98304:7ws2ANBKXOaeOgmhwWIO0H7+ZUX8ZqvOd/cV/20V5hkgk/J:dYXbeO7gH7d2YVm
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7