gh0strat | eb669e7365cbad282e4d7dec3bc60da80c60c7f3c4355efd00a32da4fecd9558 | Triage

Submit
Reports

Overview

overview

Static

static

7

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

720KB
Sample

230408-mzl2laeh9z
MD5

f708f02cb496196eb5bfe4b49473cef4
SHA1

d24f9529f080589f3d840aed084e97a504cd6293
SHA256

eb669e7365cbad282e4d7dec3bc60da80c60c7f3c4355efd00a32da4fecd9558
SHA512

76e00f2860cb2bd369bbf2ad2d10abf210212afe08c2a830a10b86f4fb0ca6003460847de01309dec9cb83b72d2af9cd426a6dfb3d4d4ffd4ee5f00738ffac8d
SSDEEP

12288:1hQZd75nad9xA/NgnT0P5VD0o+JAQCo7KUhN1oEegFAg0Q5bO9BdDjBmgb/j6lhE:1yZJ5nioNgn4DdSAnoOONNe8d+dcgb/h

Score

10^/10

gh0strat purplefox rat rootkit trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20230220-en

gh0strat purplefox rat rootkit trojan vmprotect

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20230221-en

gh0strat purplefox rat rootkit trojan vmprotect

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

38.47.204.22

Targets

- Target
  
  tmp
- Size
  
  720KB
- MD5
  
  f708f02cb496196eb5bfe4b49473cef4
- SHA1
  
  d24f9529f080589f3d840aed084e97a504cd6293
- SHA256
  
  eb669e7365cbad282e4d7dec3bc60da80c60c7f3c4355efd00a32da4fecd9558
- SHA512
  
  76e00f2860cb2bd369bbf2ad2d10abf210212afe08c2a830a10b86f4fb0ca6003460847de01309dec9cb83b72d2af9cd426a6dfb3d4d4ffd4ee5f00738ffac8d
- SSDEEP
  
  12288:1hQZd75nad9xA/NgnT0P5VD0o+JAQCo7KUhN1oEegFAg0Q5bO9BdDjBmgb/j6lhE:1yZJ5nioNgn4DdSAnoOONNe8d+dcgb/h
Score

10^/10

gh0strat purplefox rat rootkit trojan vmprotect
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxratrootkittrojanvmprotect

behavioral2

gh0stratpurplefoxratrootkittrojanvmprotect

© 2018-2024

Terms | Privacy