gh0strat | aa30dac805bfa1f165b9f6ab42119fb30bf9e6a448b3d6b295258130c6359ccd | Triage

Submit
Reports

Overview

overview

Static

static

Tele中文版.msi

windows7-x64

Tele中文版.msi

windows10-2004-x64

Sharing

General

Target

Tele中文版.zip
Size

50.3MB
Sample

220820-jlcn8aggeq
MD5

b61ad10c51fe5ecd5a4128f39dcf1c3c
SHA1

82657e520f1e090d30b0e1e6128c66f3355e1363
SHA256

aa30dac805bfa1f165b9f6ab42119fb30bf9e6a448b3d6b295258130c6359ccd
SHA512

c10924db3a0161b114951674f3bc67bb855cb61ec1e15f805d3b80f5ea1cd26e861061090200462d17d9b8494433558f32016f25a8163d685de03765a6bb7034
SSDEEP

1572864:OqB+krkuCOEYBkUg01ag1R8tA5W5sevWb5tM7Mg+ip:Oe+kJCOjkUZt/ucWBvzS2

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

Tele中文版.msi

Resource

win7-20220812-en

gh0strat purplefox persistence rat rootkit trojan upx

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Tele中文版.msi

Resource

win10v2004-20220812-en

gh0strat purplefox persistence rat rootkit trojan upx

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  Tele中文版.msi
- Size
  
  51.0MB
- MD5
  
  56b1dee1f34a655aec87c602d3956ce1
- SHA1
  
  ff2c252b7508ebe26501f1a293107e9bd78b576a
- SHA256
  
  c789263d51fbf6f582fdf533f46cb93cb95329bb808b6c61ee4c64dcde5d7174
- SHA512
  
  998ea2ca5015f2a4d3c4f6cda49b673ade409accfcd4d46b3992db83bd1fbb5d0333d4eff35ee140c93459bb2937a2b269b9d1353e23c9498934527e9844dd20
- SSDEEP
  
  1572864:aqt0axOqmCQ1AM2bDP80LXTxdWpWyvvMDZVUp2G2e2kuWlQu:ao0aJmCdM2PJb1gppvMumWq
Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Privilege Escalation

New Service

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxpersistenceratrootkittrojanupx

behavioral2

gh0stratpurplefoxpersistenceratrootkittrojanupx

© 2018-2024

Terms | Privacy