gh0strat | c9279ecdd8061a0eac0ebf9dc022168adcb2c35c3be9234aa95e4887ab8cc459 | Triage

Submit
Reports

Overview

overview

Static

static

7

209b830eaa...c2.exe

windows7-x64

209b830eaa...c2.exe

windows10-2004-x64

Sharing

General

Target

209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2.zip
Size

896KB
Sample

230426-lwpgwage87
MD5

00f5f475b52dacfc90907678994cbd91
SHA1

58587fc4af8307d93a3d035ee4b262e9373efbe2
SHA256

c9279ecdd8061a0eac0ebf9dc022168adcb2c35c3be9234aa95e4887ab8cc459
SHA512

10a416f63b9540a18c8a05e7c93e5200100e5aed713f5825d3983ac3053d516ae5f382a4a742e5184e46cf632f8a6e7c13c0e95bfe8327e699edb8441673e9d6
SSDEEP

12288:R8RJhdZyWV/zI4+d0qdg1uEQRr36JFK34OtILYp+MbXYuGRPuW1OSuls6cj:+hdZy4ChOoLRr3Me4EnpEuGAWMSuCpj

Score

10^/10

gh0strat purplefox rat rootkit trojan vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2.exe

Resource

win7-20230220-en

gh0strat purplefox rat rootkit trojan vmprotect

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2.exe

Resource

win10v2004-20230220-en

gh0strat purplefox rat rootkit trojan vmprotect

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2
- Size
  
  940KB
- MD5
  
  c6d42e472da07b2416d8cf3fc53c1d72
- SHA1
  
  14ce51b4db350ee4b4d27b8345ba9c54eb451e39
- SHA256
  
  209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2
- SHA512
  
  d6483329d18c460f2fe35deb88db54d4ddd15d3687b1528aabda3cbe8f1410e2ad8358a01daa6f709919411d04d92a05a037c125f7728d4b8f3736e6f35ce666
- SSDEEP
  
  24576:uyVctzwg4HziULzs2CVUaAupwS0Bj9CjIv9dVrG3h:uyCtzCTiwCJiKjInVr
Score

10^/10

gh0strat purplefox rat rootkit trojan vmprotect
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Deletes itself
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxratrootkittrojanvmprotect

behavioral2

gh0stratpurplefoxratrootkittrojanvmprotect

© 2018-2024

Terms | Privacy