Overview

overview

10

Static

static

7

5b8bd7a5c9...90.exe

windows7-x64

10

5b8bd7a5c9...90.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5b8bd7a5c97b4fd61f2c792d62a8f74e7fcbc3f46ee6ff86d3fc8e1682795090

  • Size

    1.2MB

  • Sample

    250131-yrat5sxpek

  • MD5

    1e26607123d86b6b907e248099725c50

  • SHA1

    d4724cd9bda10f6c5cb73378d18967cfb287d739

  • SHA256

    5b8bd7a5c97b4fd61f2c792d62a8f74e7fcbc3f46ee6ff86d3fc8e1682795090

  • SHA512

    95adc3821b1fb1860686f56ae5e3c1e53f9c37f9fdcd420e036799bbf9cf4b4d97ef4be27b293bd56996e9f6d07cec60bc8a3da5ccf696fb6072feeb9d1d88d4

  • SSDEEP

    24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtim:WIwgMEuy+inDfp3/XoCw57XYBwKm

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupxvmprotect

Malware Config

Targets

    • Target

      5b8bd7a5c97b4fd61f2c792d62a8f74e7fcbc3f46ee6ff86d3fc8e1682795090

    • Size

      1.2MB

    • MD5

      1e26607123d86b6b907e248099725c50

    • SHA1

      d4724cd9bda10f6c5cb73378d18967cfb287d739

    • SHA256

      5b8bd7a5c97b4fd61f2c792d62a8f74e7fcbc3f46ee6ff86d3fc8e1682795090

    • SHA512

      95adc3821b1fb1860686f56ae5e3c1e53f9c37f9fdcd420e036799bbf9cf4b4d97ef4be27b293bd56996e9f6d07cec60bc8a3da5ccf696fb6072feeb9d1d88d4

    • SSDEEP

      24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtim:WIwgMEuy+inDfp3/XoCw57XYBwKm

    Score
    10/10
    gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupxvmprotect

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.