Overview

overview

10

Static

static

3

cec838f587...06.exe

windows7-x64

10

cec838f587...06.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cec838f58787f19fe780be424574627bcb44ec5041f89a40b7ce1a8593444106

  • Size

    6.1MB

  • Sample

    241228-s7wtnazler

  • MD5

    ee7de747667128693a1de237bdc6830c

  • SHA1

    c87b0ee4f17da9cb81e8c4f610ebe9a438d9acae

  • SHA256

    cec838f58787f19fe780be424574627bcb44ec5041f89a40b7ce1a8593444106

  • SHA512

    073dadc95cbe111658e57343328fa9b3821b676d5b62a16f898603d020a5525dfe099cb41769c6058ab2473111834541a9a1f5013545eb518f93687269c97b52

  • SSDEEP

    98304:pws2ANnKXOaeOgmhI1BTuOZ+zSL6E9NkSy38jWLMMMyziqcrX6G5ijWAKJSQktZw:bKXbeO7S1pHwOWCkPzXeqE3ijWpH

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Targets

    • Target

      cec838f58787f19fe780be424574627bcb44ec5041f89a40b7ce1a8593444106

    • Size

      6.1MB

    • MD5

      ee7de747667128693a1de237bdc6830c

    • SHA1

      c87b0ee4f17da9cb81e8c4f610ebe9a438d9acae

    • SHA256

      cec838f58787f19fe780be424574627bcb44ec5041f89a40b7ce1a8593444106

    • SHA512

      073dadc95cbe111658e57343328fa9b3821b676d5b62a16f898603d020a5525dfe099cb41769c6058ab2473111834541a9a1f5013545eb518f93687269c97b52

    • SSDEEP

      98304:pws2ANnKXOaeOgmhI1BTuOZ+zSL6E9NkSy38jWLMMMyziqcrX6G5ijWAKJSQktZw:bKXbeO7S1pHwOWCkPzXeqE3ijWpH

    Score
    10/10
    gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.