gh0strat | 087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7

General

Target

087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe
Size

24KB
MD5

bd08bf688aa1a6d46c1675b57110dd7b
SHA1

27ace7f22287839bf704f40581e18563b3ae7038
SHA256

087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7
SHA512

5666dec348b4dfae38b00cfd03fb4bef0824d5c0bdc7d87095bf1d777194f279c2b369356f4560dce40f5080322db7e96c12b095c59a1791f48ca9d6268b41f9
SSDEEP

192:h0lkFwtXjJQoOLqeCamZWRmqyRmgP1oyn0wW0//093j5ZG/XNTMfNWnxcc:5StXlQoCqCk1qwr096/XNTMfNWnxj

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1544-123-0x0000000010000000-0x0000000010191000-memory.dmp	purplefox_rootkit
behavioral1/memory/872-132-0x0000000004720000-0x00000000047A0000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1544-123-0x0000000010000000-0x0000000010191000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

2.exetest.exe

pid process

1544 2.exe
1536 test.exe

pid	process
1544	2.exe
1536	test.exe

Loads dropped DLL 3 IoCs

Processes:

087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe

pid	process
1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe
1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe
1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2.exe

description	ioc	process
File opened (read-only)	\??\N:	2.exe
File opened (read-only)	\??\P:	2.exe
File opened (read-only)	\??\Q:	2.exe
File opened (read-only)	\??\T:	2.exe
File opened (read-only)	\??\W:	2.exe
File opened (read-only)	\??\B:	2.exe
File opened (read-only)	\??\G:	2.exe
File opened (read-only)	\??\H:	2.exe
File opened (read-only)	\??\I:	2.exe
File opened (read-only)	\??\M:	2.exe
File opened (read-only)	\??\Y:	2.exe
File opened (read-only)	\??\E:	2.exe
File opened (read-only)	\??\F:	2.exe
File opened (read-only)	\??\L:	2.exe
File opened (read-only)	\??\O:	2.exe
File opened (read-only)	\??\R:	2.exe
File opened (read-only)	\??\V:	2.exe
File opened (read-only)	\??\X:	2.exe
File opened (read-only)	\??\J:	2.exe
File opened (read-only)	\??\K:	2.exe
File opened (read-only)	\??\S:	2.exe
File opened (read-only)	\??\U:	2.exe
File opened (read-only)	\??\Z:	2.exe

Drops file in System32 directory 3 IoCs

Processes:

mmc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	mmc.exe
File opened for modification	C:\Windows\System32\gpedit.msc	mmc.exe
File opened for modification	C:\Windows\System32\GroupPolicy	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mmc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main mmc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	mmc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

test.exe

pid	process
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe
1536	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

872 mmc.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

mmc.exe

description pid process

Token: 33 872 mmc.exe
Token: SeIncBasePriorityPrivilege 872 mmc.exe
Token: 33 872 mmc.exe
Token: SeIncBasePriorityPrivilege 872 mmc.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe2.exemmc.exe

pid process

1368 087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe
1544 2.exe
1544 2.exe
872 mmc.exe
872 mmc.exe
872 mmc.exe
872 mmc.exe

pid	process
872	mmc.exe

description	pid	process
Token: 33	872	mmc.exe
Token: SeIncBasePriorityPrivilege	872	mmc.exe
Token: 33	872	mmc.exe
Token: SeIncBasePriorityPrivilege	872	mmc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exetest.exe

description	pid	process	target process
PID 1368 wrote to memory of 1544	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	2.exe
PID 1368 wrote to memory of 1544	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	2.exe
PID 1368 wrote to memory of 1544	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	2.exe
PID 1368 wrote to memory of 1544	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	2.exe
PID 1368 wrote to memory of 1536	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	test.exe
PID 1368 wrote to memory of 1536	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	test.exe
PID 1368 wrote to memory of 1536	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	test.exe
PID 1368 wrote to memory of 1536	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	test.exe
PID 1368 wrote to memory of 1536	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	test.exe
PID 1368 wrote to memory of 1536	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	test.exe
PID 1368 wrote to memory of 1536	1368	087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe	test.exe
PID 1536 wrote to memory of 892	1536	test.exe	cmd.exe
PID 1536 wrote to memory of 892	1536	test.exe	cmd.exe
PID 1536 wrote to memory of 892	1536	test.exe	cmd.exe
PID 1536 wrote to memory of 892	1536	test.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe
"C:\Users\Admin\AppData\Local\Temp\087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\ProgramData\homo\2.exe
"C:\ProgramData\homo\2.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1544

C:\ProgramData\homo\test.exe
"C:\ProgramData\homo\test.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\ProgramData\114514
3⤵
PID:892

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\homo\2.exe
Filesize
1.8MB

MD5
0322daf8494af68b414ca24cd707d0f9

SHA1
f9d329623dc471a54f98cdafc239d20cab5a06bf

SHA256
6bedffa305d107e107084f21888de7bc0c6846d161949f1bb9aa61fa58d1f8de

SHA512
f9cbc7843d1e56f2991ccc98e9ca2d2b857f48ed4f280ca48b96bf4e4bc4e0cde012653c8dd36d5ab2a671d652a264102b29a7086fe1d236c990d21b43b8ede2

Download Submit
C:\ProgramData\homo\2.exe
Filesize
1.8MB

MD5
0322daf8494af68b414ca24cd707d0f9

SHA1
f9d329623dc471a54f98cdafc239d20cab5a06bf

SHA256
6bedffa305d107e107084f21888de7bc0c6846d161949f1bb9aa61fa58d1f8de

SHA512
f9cbc7843d1e56f2991ccc98e9ca2d2b857f48ed4f280ca48b96bf4e4bc4e0cde012653c8dd36d5ab2a671d652a264102b29a7086fe1d236c990d21b43b8ede2

Download Submit
C:\ProgramData\homo\test.exe
Filesize
194KB

MD5
51952555d3ecfd945774f0eec76b4089

SHA1
a834c93370c730cdec27e7b0cb60384c19635eb6

SHA256
fd765b9af9198ea8487d849d433806a29f2cffcd8a0b5bf841a129cda9d312dd

SHA512
35f58225f72b62eabb00018f4bf7786b35b87578e8101736d7f5b3352cd54a377e6859cf39d65c811e1a2ffa36a84c91a2a9211e67ae991ba084f71b85ae8993

Download Submit
C:\ProgramData\homo\test.exe
Filesize
194KB

MD5
51952555d3ecfd945774f0eec76b4089

SHA1
a834c93370c730cdec27e7b0cb60384c19635eb6

SHA256
fd765b9af9198ea8487d849d433806a29f2cffcd8a0b5bf841a129cda9d312dd

SHA512
35f58225f72b62eabb00018f4bf7786b35b87578e8101736d7f5b3352cd54a377e6859cf39d65c811e1a2ffa36a84c91a2a9211e67ae991ba084f71b85ae8993

Download Submit
\ProgramData\homo\2.exe
Filesize
1.8MB

MD5
0322daf8494af68b414ca24cd707d0f9

SHA1
f9d329623dc471a54f98cdafc239d20cab5a06bf

SHA256
6bedffa305d107e107084f21888de7bc0c6846d161949f1bb9aa61fa58d1f8de

SHA512
f9cbc7843d1e56f2991ccc98e9ca2d2b857f48ed4f280ca48b96bf4e4bc4e0cde012653c8dd36d5ab2a671d652a264102b29a7086fe1d236c990d21b43b8ede2

Download Submit
\ProgramData\homo\2.exe
Filesize
1.8MB

MD5
0322daf8494af68b414ca24cd707d0f9

SHA1
f9d329623dc471a54f98cdafc239d20cab5a06bf

SHA256
6bedffa305d107e107084f21888de7bc0c6846d161949f1bb9aa61fa58d1f8de

SHA512
f9cbc7843d1e56f2991ccc98e9ca2d2b857f48ed4f280ca48b96bf4e4bc4e0cde012653c8dd36d5ab2a671d652a264102b29a7086fe1d236c990d21b43b8ede2

Download Submit
\ProgramData\homo\test.exe
Filesize
194KB

MD5
51952555d3ecfd945774f0eec76b4089

SHA1
a834c93370c730cdec27e7b0cb60384c19635eb6

SHA256
fd765b9af9198ea8487d849d433806a29f2cffcd8a0b5bf841a129cda9d312dd

SHA512
35f58225f72b62eabb00018f4bf7786b35b87578e8101736d7f5b3352cd54a377e6859cf39d65c811e1a2ffa36a84c91a2a9211e67ae991ba084f71b85ae8993

Download Submit
memory/872-130-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/872-132-0x0000000004720000-0x00000000047A0000-memory.dmp

Filesize
512KB

Download
memory/872-152-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/872-153-0x0000000004720000-0x00000000047A0000-memory.dmp

Filesize
512KB

Download
memory/1544-123-0x0000000010000000-0x0000000010191000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads