gh0strat | 0cd5ba847ee4e7966429e8f2e746bea07b0812db06bd02d262b1b0046e5a32d6 | Triage

Submit
Reports

Overview

overview

Static

static

7

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

720KB
Sample

230408-mnp9wach82
MD5

360a77d93eabf70e75735e3e42378a4d
SHA1

10b32d41b442352be8f4e8bc852dced9ebfdc6c8
SHA256

0cd5ba847ee4e7966429e8f2e746bea07b0812db06bd02d262b1b0046e5a32d6
SHA512

56f08de22e1c012660c2f839c527f37235d34f7be6af5cf0944ee11ab1eb96fdb2882cb3040b119ca31e71c9d63390747982432c5fa4781b2b61e41072efd4cc
SSDEEP

12288:AEj95N5zSmai5m7cRIOTrOtjpwdoy3CgByyy/0zjwveiE86rc0SaSEm7J:tx5Non7cRIUOzyPIyycjw2iE8v0SavEJ

Score

10^/10

gh0strat purplefox rat rootkit trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20230220-en

gh0strat purplefox rat rootkit trojan vmprotect

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20230221-en

gh0strat purplefox rat rootkit trojan vmprotect

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

45.207.11.105

Targets

- Target
  
  tmp
- Size
  
  720KB
- MD5
  
  360a77d93eabf70e75735e3e42378a4d
- SHA1
  
  10b32d41b442352be8f4e8bc852dced9ebfdc6c8
- SHA256
  
  0cd5ba847ee4e7966429e8f2e746bea07b0812db06bd02d262b1b0046e5a32d6
- SHA512
  
  56f08de22e1c012660c2f839c527f37235d34f7be6af5cf0944ee11ab1eb96fdb2882cb3040b119ca31e71c9d63390747982432c5fa4781b2b61e41072efd4cc
- SSDEEP
  
  12288:AEj95N5zSmai5m7cRIOTrOtjpwdoy3CgByyy/0zjwveiE86rc0SaSEm7J:tx5Non7cRIUOzyPIyycjw2iE8v0SavEJ
Score

10^/10

gh0strat purplefox rat rootkit trojan vmprotect
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxratrootkittrojanvmprotect

behavioral2

gh0stratpurplefoxratrootkittrojanvmprotect

© 2018-2024

Terms | Privacy