General

  • Target

    5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c

  • Size

    1.2MB

  • Sample

    241223-c77yxsvkaw

  • MD5

    69070a1314c6609eb499e8e30217250c

  • SHA1

    4400dc7637584d988aef9305f0e206fcf88adfe9

  • SHA256

    5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c

  • SHA512

    a2122ca7cd4cb881da502d7f6071998c665839f5bda7cb8c8a4e6955af730141b536e9c5b68bf18f7cc96524c685f934f757de135e218ad549b535555fe23bfd

  • SSDEEP

    24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJti2:WIwgMEuy+inDfp3/XoCw57XYBwK2

Malware Config

Targets

    • Target

      5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c

    • Size

      1.2MB

    • MD5

      69070a1314c6609eb499e8e30217250c

    • SHA1

      4400dc7637584d988aef9305f0e206fcf88adfe9

    • SHA256

      5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c

    • SHA512

      a2122ca7cd4cb881da502d7f6071998c665839f5bda7cb8c8a4e6955af730141b536e9c5b68bf18f7cc96524c685f934f757de135e218ad549b535555fe23bfd

    • SSDEEP

      24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJti2:WIwgMEuy+inDfp3/XoCw57XYBwK2

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks