gh0strat | 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207 | Triage

Submit
Reports

Overview

overview

Static

static

3e4ae86da2...07.exe

windows7-x64

3e4ae86da2...07.exe

windows10-2004-x64

Sharing

General

Target

3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207
Size

36KB
Sample

221020-skg2zsagcl
MD5

2e5301c5190bee4c4ea97fad9fd86003
SHA1

4c401e6cdf0250d68e30b5137586897a63ff629c
SHA256

3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207
SHA512

8f416ae87c4513d692c8e64e860434cece3118a635ac7187f91621da4217917886add5352ea80826d7000bdebda59ae6cbf02ee109a3b0cb3c9f7279524c1642
SSDEEP

384:Ew/jpHowi33kTwFJ40sBWhlabvdF2t7S9wd5ASc:/lH3i3yAJ8eMFF2pCI2

Score

10^/10

gh0strat purplefox evasion rat rootkit trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe

Resource

win7-20220901-en

gh0strat purplefox evasion rat rootkit trojan upx

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207
- Size
  
  36KB
- MD5
  
  2e5301c5190bee4c4ea97fad9fd86003
- SHA1
  
  4c401e6cdf0250d68e30b5137586897a63ff629c
- SHA256
  
  3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207
- SHA512
  
  8f416ae87c4513d692c8e64e860434cece3118a635ac7187f91621da4217917886add5352ea80826d7000bdebda59ae6cbf02ee109a3b0cb3c9f7279524c1642
- SSDEEP
  
  384:Ew/jpHowi33kTwFJ40sBWhlabvdF2t7S9wd5ASc:/lH3i3yAJ8eMFF2pCI2
Score

10^/10

gh0strat purplefox evasion rat rootkit trojan upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxevasionratrootkittrojanupx

behavioral2

© 2018-2024

Terms | Privacy