gh0strat | 445823ec2a16daeee6bab7018eb8e940d196d32e1e658745dabe925ccb9e2529 | Triage

Submit
Reports

Overview

overview

Static

static

1

image_2023...us.exe

windows7-x64

image_2023...us.exe

windows10-2004-x64

Sharing

General

Target

image_2023-03-25_15-34-35.png.virus.pif
Size

1.5MB
Sample

230326-gte37sff78
MD5

304f1fe84d21240f53265556f3e7aec1
SHA1

ba0b6b5b2b95316e64e9ff0707d05aba07f614c5
SHA256

445823ec2a16daeee6bab7018eb8e940d196d32e1e658745dabe925ccb9e2529
SHA512

d63606f4c2c0aac50ad8bd9bc096262f425bfb929dd4358156ec1bc497c80d0251c9595f77781b1dfd4b3c0c971bdbea0a190512db896e499a1a04974682a620
SSDEEP

24576:fLM4cWyTOI+rDsjmWs4V6NB+HMSu+O8MYehJsjLvYikHHJkSj+Z9X6DciYamKgFY:fLM4c3TOtrDsKivuwMhJKvrmHJcpSPYU

Score

10^/10

gh0strat purplefox rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

image_2023-03-25_15-34-35.png.virus.exe

Resource

win7-20230220-en

gh0strat purplefox rat rootkit trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

image_2023-03-25_15-34-35.png.virus.exe

Resource

win10v2004-20230220-en

gh0strat purplefox rat rootkit trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  image_2023-03-25_15-34-35.png.virus.pif
- Size
  
  1.5MB
- MD5
  
  304f1fe84d21240f53265556f3e7aec1
- SHA1
  
  ba0b6b5b2b95316e64e9ff0707d05aba07f614c5
- SHA256
  
  445823ec2a16daeee6bab7018eb8e940d196d32e1e658745dabe925ccb9e2529
- SHA512
  
  d63606f4c2c0aac50ad8bd9bc096262f425bfb929dd4358156ec1bc497c80d0251c9595f77781b1dfd4b3c0c971bdbea0a190512db896e499a1a04974682a620
- SSDEEP
  
  24576:fLM4cWyTOI+rDsjmWs4V6NB+HMSu+O8MYehJsjLvYikHHJkSj+Z9X6DciYamKgFY:fLM4c3TOtrDsKivuwMhJKvrmHJcpSPYU
Score

10^/10

gh0strat purplefox rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxratrootkittrojan

behavioral2

gh0stratpurplefoxratrootkittrojan

© 2018-2024

Terms | Privacy