gh0strat | 7e2d2d17f380d7848cb7ca0d64d718154c99383b9dedee4364086d297b7b0ea9 | Triage

Submit
Reports

Overview

overview

Static

static

小火箭1.exe

windows7-x64

小火箭1.exe

windows10-2004-x64

Sharing

General

Target

7e2d2d17f380d7848cb7ca0d64d718154c99383b9dedee4364086d297b7b0ea9
Size

16KB
Sample

221108-fyrr5ahgh9
MD5

edca4ca17efd894518c87ae83b240dfd
SHA1

91e4eeacd0bb0a2e0117294abca6cc4b783e2ab3
SHA256

7e2d2d17f380d7848cb7ca0d64d718154c99383b9dedee4364086d297b7b0ea9
SHA512

dc87b91f8c925bee50019db719e2e556680af57e28f49e24da61ec3f3740672d2471f4511369ae3307261fcb773cd6871a0260a79f69a5730958512b2d328234
SSDEEP

384:dnq5hI7gjxKDPSZ3pH3UFAeZktrYu4C089HthXYiWwvhVR:dq5hIAxAa1t5YC08hXhWqVR

Score

10^/10

gh0strat purplefox evasion rat rootkit trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

小火箭1.exe

Resource

win7-20220812-en

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

小火箭1.exe

Resource

win10v2004-20220901-en

gh0strat purplefox evasion rat rootkit trojan upx

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  小火箭1.exe
- Size
  
  68KB
- MD5
  
  63187506e27ea12188321ad86d44406a
- SHA1
  
  9f33b2253b411d5f0537d54a916e1d92bdff1208
- SHA256
  
  5754afdda9c0abd8315d84def76faf6337089a0a9e20ace5806e258b55c5cdd8
- SHA512
  
  db22ab26cedaa1a1d0093e34cbef97342ef2ae9b93cb419aa7ed5fe2495f72707d5eadc79c201642b39cac224e817245b69ed085536be086271d308109fed8b0
- SSDEEP
  
  1536:GxGlHygkX04uaz2vctMhXZLwhgusFMgBHJE6Y7yXVz0nD7DUD+DdD+CDjbD1DPD:Gx6S1JuaavctMhXZLwhgusFMgBHJE6Y/
Score

10^/10

evasion trojan gh0strat purplefox rat rootkit upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpurplefoxevasionratrootkittrojanupx

© 2018-2024

Terms | Privacy