gh0strat | 785e9b07fc8ed60165bccab77cd09e1a7991ce1c54c6afb58a9d4d37b76e69e0 | Triage

Submit
Reports

Overview

overview

Static

static

Tele-CN汉化.msi

windows7-x64

8

Tele-CN汉化.msi

windows10-2004-x64

Sharing

General

Target

Tele-CN汉化.msi
Size

49.4MB
Sample

220813-jgj8hahgg6
MD5

158f0c8142dd01e983f1797a6264362e
SHA1

42c8e368334d75c6c6deeac9dac8f8cc0f9c812c
SHA256

785e9b07fc8ed60165bccab77cd09e1a7991ce1c54c6afb58a9d4d37b76e69e0
SHA512

7990f8e421be357b9e6adc50731b4c2b0b952718809a8765b1572979c6abc5dd38c1d77533afd74ddba44c19cc743e201498e73915687353a7567f6ead62c394

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

Tele-CN汉化.msi

Resource

win7-20220812-en

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Tele-CN汉化.msi

Resource

win10v2004-20220812-en

gh0strat purplefox persistence rat rootkit trojan upx

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  Tele-CN汉化.msi
- Size
  
  49.4MB
- MD5
  
  158f0c8142dd01e983f1797a6264362e
- SHA1
  
  42c8e368334d75c6c6deeac9dac8f8cc0f9c812c
- SHA256
  
  785e9b07fc8ed60165bccab77cd09e1a7991ce1c54c6afb58a9d4d37b76e69e0
- SHA512
  
  7990f8e421be357b9e6adc50731b4c2b0b952718809a8765b1572979c6abc5dd38c1d77533afd74ddba44c19cc743e201498e73915687353a7567f6ead62c394
Score

10^/10

persistence gh0strat purplefox rat rootkit trojan upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Creates new service(s)
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Privilege Escalation

New Service

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpurplefoxpersistenceratrootkittrojanupx

© 2018-2024

Terms | Privacy