General
-
Target
1696c0f354335754e99143a955410f83ec2e96cbb850bda00a3f6bc891ec04c6
-
Size
4.2MB
-
Sample
250105-kjcf4synft
-
MD5
65c34107b553b5b0281dba4e92a7ffd8
-
SHA1
637295577825cee577265239368d6faf1d196dd5
-
SHA256
1696c0f354335754e99143a955410f83ec2e96cbb850bda00a3f6bc891ec04c6
-
SHA512
d4453f26e1ad5a94413332e21b000a7f26103029a0e7a3c8dfaf70ca4415de4f8d62b3ffcb095152f370b7a8c9ca5a9e50021237d9b75f0970fc57a6ab506687
-
SSDEEP
98304:SB+u1I8gmwJuKEvAG8OW8CRhsF4j4HYzI8gmwJi8OW8CRhsF4j4HYzI8gmwJ38Oj:+I8lwZEvsOKoF4U8lwTOKoF4U8lw6OKq
Malware Config
Targets
-
-
Target
Lunar Client+破解/Lunar Client+启动器1号.cmd
-
Size
16B
-
MD5
28d6cb9798b70c6a201ef66402724d74
-
SHA1
e3268b06cc205d8b40aa3b5454d97766c36ec130
-
SHA256
ba543f40fab120657920115d60fc9953fc803f3a0114ca347671e057d15217b3
-
SHA512
1bee6a9a16f93bb658b470482ca07a1ca02ad6dae092d931c870e66ffd05f54d190e47cb00d4ecee5a9900a142aabfee5c536ae1aa8650c6a4d411354e48384e
Score1/10 -
-
-
Target
Lunar Client+破解/Lunar Client+启动器2号.lnk.lnk
-
Size
1KB
-
MD5
495c74e517f2e6e8a348a005bce5844a
-
SHA1
0ffe74cca89fb00e0dfc7380510b5b6a9a6e3bc8
-
SHA256
f094a7d8e7d4a26da9ed4479f8f087797db8f748927fa0a5ba82e298bf93e195
-
SHA512
0cc1fec03bfa8762c21042def2bd95460bc09262b8ddd1f560cc332183d8e75c5b799a1e8757e8a858c962d0112fc574900d038882912923d6f17c548f4bd7cc
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Lunar Client+破解/Lunar/Java.exe
-
Size
2.4MB
-
MD5
bacf0a2e8cf5384e14514d541556e77d
-
SHA1
1cb99da2e7d260859c1d5ba25fb7410a3a14dd93
-
SHA256
516aeb8b1e14bd0fb5ad3a2e03165d18bf8719807ea21f89b0eec177e7ad70c2
-
SHA512
f4a2722ab69643b244193f683acebf56003c124dc36bf24bc9b16af246c7a7ba71690d0fd4171f970c17e5127025da5e06830991c3e1171f615ad27570661dbb
-
SSDEEP
49152:3CwsbCANnKXferL7Vwe/Gg0P+WhQjzlEy:yws2ANnKXOaeOgmhQnlEy
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
Lunar Client+破解/Lunar/Lunar Client+.cmd
-
Size
16B
-
MD5
b774e34f342dd3b17ce325bee2d7441d
-
SHA1
f97de0cb1aaf26d8ab9de39d72cc559f9b04a89e
-
SHA256
2aaae0bca455c8427d4364fedd8482ef1d90c2cbaaa9b095db838c53bf534b18
-
SHA512
9ae2b5b3c49f746f0d87f82ad3b1d7314a2735bc323f2bd954eb2ead11e2857d047f62613f1f678864560e9a1d9e0cd0b4f98526f0b3723872e2c4440d726ca4
Score1/10 -
-
-
Target
Lunar Client+破解/Lunar/Lunar Client+.exe
-
Size
2.4MB
-
MD5
1b920c50ef0eaef8aa2ff1c95e0ffbc3
-
SHA1
1abed1352e4e5a048288d13f25886186922db005
-
SHA256
cae8b00f2a52c9437a8d5b1430e7de81ee5f041e68e368ea6eebc517d4deef97
-
SHA512
9dfc4bd34e82ccc7329b221745d12b0e50175344dc65a3e499c4dabde00603f6a009aa8801fb4dd8bec1e808ce949a7dc389497583921996b22d14977b483f9f
-
SSDEEP
24576:pCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHw:pCwsbCANnKXferL7Vwe/Gg0P+Wht5D
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
Lunar Client+破解/Lunar/Lunar Client+破解Setup.vbs
-
Size
1011B
-
MD5
3737069ba8d456902ba334f0c7648800
-
SHA1
34695915ce71828140375466ebd379b501ae7be8
-
SHA256
7a744e074e5fb598ca51e7de0d0ff586b7133e4c4ed8e1bda2249aee812a0b06
-
SHA512
b6a409f4f0139b23587c41951c0b8f0b954103813a6b40a1af298ce79a817a4c9110659f25021c5c4d746655595503a4b3398a2ac6350f9435f73af061257a2b
Score1/10 -
-
-
Target
Lunar Client+破解/Lunar/Lunar.dll
-
Size
19B
-
MD5
c863367d5e6ca76cefdb3183428d353f
-
SHA1
8eda635ca4f93011fa5240100a50f8df0804979b
-
SHA256
2ab2115ae406c8ee8c3506c356804885c4e5e30cc207aef18e18fcffc44b2462
-
SHA512
530b6f6709a6aaa341d00b3f4961235f622238cbc0d68270e3793d9910d48b0a3e4e2f5e3a4a9a8fb0e3f6c48ac1c3a4d3eeb70e28d29791baf5f155fc4f5b2f
Score1/10 -
-
-
Target
Lunar Client+破解/Lunar/lunar.gg连接.exe
-
Size
2.4MB
-
MD5
f001d8791552c9ddaf4ddee81c044d39
-
SHA1
d9658d3ff10b5582e72947fdcee7fc46d92a5206
-
SHA256
54c05671c715081161dda1667e1da68c0eeb1b1241a25daa2c78cca5fb453a17
-
SHA512
11a2b99e7e72e8d8b1391878d1ef76f6578f79828e01b73456d166dfb8041a230369536e03f5eaa8c92990cbc48de0a8c4f6cbb1facfc65b227d2c6a1f37e52b
-
SSDEEP
24576:pCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nH3:pCwsbCANnKXferL7Vwe/Gg0P+Wht5U
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
Lunar Client+破解/Lunar/破解器.exe
-
Size
2.4MB
-
MD5
f001d8791552c9ddaf4ddee81c044d39
-
SHA1
d9658d3ff10b5582e72947fdcee7fc46d92a5206
-
SHA256
54c05671c715081161dda1667e1da68c0eeb1b1241a25daa2c78cca5fb453a17
-
SHA512
11a2b99e7e72e8d8b1391878d1ef76f6578f79828e01b73456d166dfb8041a230369536e03f5eaa8c92990cbc48de0a8c4f6cbb1facfc65b227d2c6a1f37e52b
-
SSDEEP
24576:pCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nH3:pCwsbCANnKXferL7Vwe/Gg0P+Wht5U
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1