General
-
Target
222f541e0e7a8a986b85349f6f23d198e708be76508d1c3875ca8535585fb3f7
-
Size
3.6MB
-
Sample
250303-y1rt1sxybz
-
MD5
0c0564a8ae6be0a027896193e6ec5cb6
-
SHA1
e4f126b1e13bbef334e93c954d2ef00b37aad5f8
-
SHA256
222f541e0e7a8a986b85349f6f23d198e708be76508d1c3875ca8535585fb3f7
-
SHA512
69e5785ffc043ccc66e9e2bcc254084b7495bffcf7d9f792eb3990f36db1cf258c7ae91a4b19719f0c6b3e1ac84e0706d7865e2edbc2b1fede2832d06a3762f3
-
SSDEEP
49152:VCwsbCAN7KXferL7Vwe/Gg0P+WhxUExuqrQLutI+MWB:Iws2AN7KXOaeOgmharqrQLuuE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
222f541e0e7a8a986b85349f6f23d198e708be76508d1c3875ca8535585fb3f7
-
Size
3.6MB
-
MD5
0c0564a8ae6be0a027896193e6ec5cb6
-
SHA1
e4f126b1e13bbef334e93c954d2ef00b37aad5f8
-
SHA256
222f541e0e7a8a986b85349f6f23d198e708be76508d1c3875ca8535585fb3f7
-
SHA512
69e5785ffc043ccc66e9e2bcc254084b7495bffcf7d9f792eb3990f36db1cf258c7ae91a4b19719f0c6b3e1ac84e0706d7865e2edbc2b1fede2832d06a3762f3
-
SSDEEP
49152:VCwsbCAN7KXferL7Vwe/Gg0P+WhxUExuqrQLutI+MWB:Iws2AN7KXOaeOgmharqrQLuuE
Score10/10-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6