gh0strat | 37fc9403c356982e20122b5ba7c9c79d638cb96e5a730999d51ebf5e990f1de1 | Triage

Submit
Reports

Overview

overview

Static

static

1

电子发票.exe

windows7-x64

电子发票.exe

windows10-2004-x64

8

Sharing

General

Target

税票-资料.zip
Size

713KB
Sample

230328-km2v6shh65
MD5

56a9d1693ab643cb9ca67fcb3bde4a06
SHA1

56a58bf64473e5af4b12a269fb97f72ec3852b12
SHA256

37fc9403c356982e20122b5ba7c9c79d638cb96e5a730999d51ebf5e990f1de1
SHA512

06e267d47e89d62ea3c29b7f765486456a51eb63d72a4b8a0a9eab2ac72df43596a216426aebddce735ab8e96839a51c9e7f15da0f8202f26a83570dd12ed763
SSDEEP

12288:ahk189Ig0Zg+g32KM4XP2Ftwmi1vuXwKhwk5OJfXwOitBjnrkcI7VSCMvr2KRlPr:ah7Ig0VQ2K3XP2F7i1vuXwKh/5zOij7H

Score

10^/10

gh0strat purplefox aspackv2 rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

电子发票.exe

Resource

win7-20230220-en

gh0strat purplefox aspackv2 rat rootkit trojan

windows7-x64

16 signatures

300 seconds

Behavioral task

behavioral2

Sample

电子发票.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

7 signatures

300 seconds

Malware Config

Extracted

Family

gh0strat

C2

103.127.83.61

Targets

- Target
  
  电子发票.exe
- Size
  
  802KB
- MD5
  
  edfbb83534100f3860a535f2d0e426c3
- SHA1
  
  42d2de7ec349ff289b34103f4b88f2121058ff5c
- SHA256
  
  df1c27d04216f9a99654d95347f8c20bc23cc88dc71ff895f0505f0ce9c776cb
- SHA512
  
  0f95ecaabfa0f83fa4509ea72efafd59b6c35e20e9169cfd11de1e580ba6914782e7ad339d15875bbff870ff38133cc633d223b7cbd976ac7b258c5a084bb91a
- SSDEEP
  
  24576:Sny/f9uCYXP25JiBvuXwKhbBh4iv/IVVWX7PPR0gthPW1:XFmIJSmgaVhvv/IVKrPy
Score

10^/10

gh0strat purplefox aspackv2 rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Downloads MZ/PE file
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxaspackv2ratrootkittrojan

behavioral2

© 2018-2024

Terms | Privacy