Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

tmp
Size

1MB
Sample

221218-1za6zsdg98
MD5

52bf7eabbd7166fc9a3338ea7924cd1b
SHA1

414968161f53d327617470b92a5af5067036d845
SHA256

63b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
SHA512

7e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
SSDEEP

24576:+d5hczucXF3NHOFJQ2Bdj59SW/IX2u9Av1:scSFLj7k2l

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Targets

- Target
  
  tmp
- Size
  
  1MB
- MD5
  
  52bf7eabbd7166fc9a3338ea7924cd1b
- SHA1
  
  414968161f53d327617470b92a5af5067036d845
- SHA256
  
  63b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
- SHA512
  
  7e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
- SSDEEP
  
  24576:+d5hczucXF3NHOFJQ2Bdj59SW/IX2u9Av1:scSFLj7k2l
Score

10^/10

gh0strat purplefox rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

gh0stratpurplefoxratrootkittrojan

behavioral2

gh0stratpurplefoxratrootkittrojan