General

  • Target

    57d351420b4b339d78441003326f35fed9311c5246dcd6e7f3d4c23f7ddbfc64

  • Size

    1.2MB

  • Sample

    241224-fexh9s1qax

  • MD5

    80ccfb1b2aa9cfe0c0edb8e6eefbb96b

  • SHA1

    85e2d4915850774ee272ad190fffdd468a573efe

  • SHA256

    57d351420b4b339d78441003326f35fed9311c5246dcd6e7f3d4c23f7ddbfc64

  • SHA512

    139c0ddd56808d2cc81aa7a1476f41247bb4bf091150edc6608df28327dc854bbc4167ff9d0f74e6ac22d5853a9cbf5d0d764a31b5f9b0b61d44a9e643fb0920

  • SSDEEP

    24576:9WnukjaDKSnYBzaJbjSoGF9LzpELx3N/nHwhHK28URjX+y:MnTjaD/9v6Vcx9HwNhuy

Malware Config

Targets

    • Target

      57d351420b4b339d78441003326f35fed9311c5246dcd6e7f3d4c23f7ddbfc64

    • Size

      1.2MB

    • MD5

      80ccfb1b2aa9cfe0c0edb8e6eefbb96b

    • SHA1

      85e2d4915850774ee272ad190fffdd468a573efe

    • SHA256

      57d351420b4b339d78441003326f35fed9311c5246dcd6e7f3d4c23f7ddbfc64

    • SHA512

      139c0ddd56808d2cc81aa7a1476f41247bb4bf091150edc6608df28327dc854bbc4167ff9d0f74e6ac22d5853a9cbf5d0d764a31b5f9b0b61d44a9e643fb0920

    • SSDEEP

      24576:9WnukjaDKSnYBzaJbjSoGF9LzpELx3N/nHwhHK28URjX+y:MnTjaD/9v6Vcx9HwNhuy

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks