gh0strat

General

Target

HD_X.dat
Size

2.4MB
Sample

230307-llymsshe78
MD5

6ec3e1ebaa6de0081d4948045a41ceb9
SHA1

b02b3cdfd4aef3a95de668180dc6253624cdbda8
SHA256

8e1c6c59d9418d2c85c9e2a8fa82d5912b41ac11c258b7cb6a97af02dfa4c4f1
SHA512

cb4deecafbe578876d48ee043ad0777eae0356908976f14daf9489ac2332b5de9ccd59391647e44d57137b1a2b4eee5b96a0994df0390a8d526fab0faaf0d08a
SSDEEP

24576:pCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHz:pCwsbCANnKXferL7Vwe/Gg0P+Wh9EP

Score

10^/10

Malware Config

Targets

- Target
  
  HD_X.dat
- Size
  
  2.4MB
- MD5
  
  6ec3e1ebaa6de0081d4948045a41ceb9
- SHA1
  
  b02b3cdfd4aef3a95de668180dc6253624cdbda8
- SHA256
  
  8e1c6c59d9418d2c85c9e2a8fa82d5912b41ac11c258b7cb6a97af02dfa4c4f1
- SHA512
  
  cb4deecafbe578876d48ee043ad0777eae0356908976f14daf9489ac2332b5de9ccd59391647e44d57137b1a2b4eee5b96a0994df0390a8d526fab0faaf0d08a
- SSDEEP
  
  24576:pCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHz:pCwsbCANnKXferL7Vwe/Gg0P+Wh9EP
Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Targets

Detect PurpleFox Rootkit

Gh0st RAT payload

PurpleFox

Drops file in Drivers directory

Sets DLL path for service in the registry

Sets service image path in registry

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2