gh0strat | 63b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

1.4MB
Sample

221218-1za6zsdg98
MD5

52bf7eabbd7166fc9a3338ea7924cd1b
SHA1

414968161f53d327617470b92a5af5067036d845
SHA256

63b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
SHA512

7e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
SSDEEP

24576:+d5hczucXF3NHOFJQ2Bdj59SW/IX2u9Av1:scSFLj7k2l

Score

10^/10

gh0strat purplefox rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220901-en

gh0strat purplefox rat rootkit trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20221111-en

gh0strat purplefox rat rootkit trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  tmp
- Size
  
  1.4MB
- MD5
  
  52bf7eabbd7166fc9a3338ea7924cd1b
- SHA1
  
  414968161f53d327617470b92a5af5067036d845
- SHA256
  
  63b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
- SHA512
  
  7e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
- SSDEEP
  
  24576:+d5hczucXF3NHOFJQ2Bdj59SW/IX2u9Av1:scSFLj7k2l
Score

10^/10

gh0strat purplefox rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxratrootkittrojan

behavioral2

gh0stratpurplefoxratrootkittrojan

© 2018-2024

Terms | Privacy