gh0strat | 97c0b79f8421a1b0c3ef8129564ecf8b6ef037bdd432c8e856fd84e5d207edf4

Analysis

max time kernel
47s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-06-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03047899.exe
Size

2.9MB
MD5

0772c75ff821f29e479ddc1da9a87740
SHA1

a06b6ed12126982f590893526ae6e3eec56ee4fc
SHA256

97c0b79f8421a1b0c3ef8129564ecf8b6ef037bdd432c8e856fd84e5d207edf4
SHA512

f0c40bb177c6ec4879840410fd0510bdf3c5d3e6a0de8d8f4ca98c23d0557f41f3e557184637ee9b29821b24927d5cea2951b118c84f5164a65ed3a580631286
SSDEEP

49152:WVbFeZNzXNBukNbW1Z6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcQ:ubONzdBPKg3Yz5J/693kb

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1896-108-0x0000000010000000-0x0000000010192000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-108-0x0000000010000000-0x0000000010192000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Executes dropped EXE 3 IoCs

Processes:

v.exev.exejerryrat.exe

pid process

1976 v.exe
876 v.exe
1896 jerryrat.exe
Loads dropped DLL 5 IoCs

Processes:

03047899.exe

pid process

1760 03047899.exe
1760 03047899.exe
1760 03047899.exe
1760 03047899.exe
1760 03047899.exe

pid	process
1976	v.exe
876	v.exe
1896	jerryrat.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jerryrat.exe

description	ioc	process
File opened (read-only)	\??\H:	jerryrat.exe
File opened (read-only)	\??\M:	jerryrat.exe
File opened (read-only)	\??\N:	jerryrat.exe
File opened (read-only)	\??\Q:	jerryrat.exe
File opened (read-only)	\??\W:	jerryrat.exe
File opened (read-only)	\??\P:	jerryrat.exe
File opened (read-only)	\??\U:	jerryrat.exe
File opened (read-only)	\??\Y:	jerryrat.exe
File opened (read-only)	\??\B:	jerryrat.exe
File opened (read-only)	\??\I:	jerryrat.exe
File opened (read-only)	\??\J:	jerryrat.exe
File opened (read-only)	\??\K:	jerryrat.exe
File opened (read-only)	\??\L:	jerryrat.exe
File opened (read-only)	\??\E:	jerryrat.exe
File opened (read-only)	\??\F:	jerryrat.exe
File opened (read-only)	\??\G:	jerryrat.exe
File opened (read-only)	\??\R:	jerryrat.exe
File opened (read-only)	\??\X:	jerryrat.exe
File opened (read-only)	\??\O:	jerryrat.exe
File opened (read-only)	\??\S:	jerryrat.exe
File opened (read-only)	\??\T:	jerryrat.exe
File opened (read-only)	\??\V:	jerryrat.exe
File opened (read-only)	\??\Z:	jerryrat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

992 1760 WerFault.exe 03047899.exe

pid	pid_target	process	target process
992	1760	WerFault.exe	03047899.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jerryrat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jerryrat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jerryrat.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

hh.exehh.exehh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

03047899.exejerryrat.exe

pid	process
1760	03047899.exe
1760	03047899.exe
1760	03047899.exe
1760	03047899.exe
1760	03047899.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe
1896	jerryrat.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

03047899.exehh.exehh.exehh.exe

pid process

1760 03047899.exe
1760 03047899.exe
936 hh.exe
936 hh.exe
752 hh.exe
752 hh.exe
1112 hh.exe
1112 hh.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

03047899.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 1688	1760	03047899.exe	cmd.exe
PID 1760 wrote to memory of 1688	1760	03047899.exe	cmd.exe
PID 1760 wrote to memory of 1688	1760	03047899.exe	cmd.exe
PID 1760 wrote to memory of 1688	1760	03047899.exe	cmd.exe
PID 1688 wrote to memory of 564	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 564	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 564	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 564	1688	cmd.exe	reg.exe
PID 1760 wrote to memory of 1976	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 1976	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 1976	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 1976	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 876	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 876	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 876	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 876	1760	03047899.exe	v.exe
PID 1760 wrote to memory of 1896	1760	03047899.exe	jerryrat.exe
PID 1760 wrote to memory of 1896	1760	03047899.exe	jerryrat.exe
PID 1760 wrote to memory of 1896	1760	03047899.exe	jerryrat.exe
PID 1760 wrote to memory of 1896	1760	03047899.exe	jerryrat.exe

C:\Users\Admin\AppData\Local\Temp\03047899.exe
"C:\Users\Admin\AppData\Local\Temp\03047899.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:564

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:1976

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\ma
2⤵
- Executes dropped EXE
PID:876

C:\Users\Public\xiaodaxzqxia\jerryrat.exe
C:\Users\Public\xiaodaxzqxia\jerryrat.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1216
2⤵
- Program crash
PID:992

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\2371959790365926\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\2371959790365926\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:752

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\2371959790365926\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
Filesize
8KB

MD5
255b013c799f517ee63417f056efa68a

SHA1
6427d0c30955eb023aa6150c034fd768db477994

SHA256
f24d70871d947b5959fcdf64537cbd4b0563b6e5084a2cfa3ff6270dad8c2809

SHA512
bff60d2f26a96d206a8e7895372a30c12e3095b7835ea9dc672ccaef08eff8953b39e8255dc58e67fbbc54e3e6c460632ac6e3dc7fda5b94822a1e53a2a976e2

Download Submit
C:\Users\Public\cxzvasdfg\2371959790365926\A11.chm
Filesize
11KB

MD5
db7961bf21e69e9cdbbfbc5357b6ae84

SHA1
6b43da6f1a502cc3ede9a46a71536e79335e3169

SHA256
49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

SHA512
e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.5MB

MD5
6a37b4b3fa7c30242de550f429aedef1

SHA1
f7996877a0cdae7c6328c19c35f430f90803cae1

SHA256
a52e30d8dc89acd2e22fb56e95c919ed87fe908b829e77f380e284d9a2312776

SHA512
c715f6c0588f5534c79c5580840f412ca8693e546551b5786bedc8c8a1d76af36d8fb5b8fe19435b9ec182da19ff27b81693a739674ee83de52d103d6a8fd1f8

Download Submit
C:\Users\Public\xiaodaxzqxia\jerryrat.exe
Filesize
101.8MB

MD5
bf1b730495a79f66eab2aac35a0b2817

SHA1
d89578047501d4e220de0a47872f1515117153a2

SHA256
c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8

SHA512
e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4

Download Submit
C:\Users\Public\xiaodaxzqxia\jerryrat.exe
Filesize
101.8MB

MD5
bf1b730495a79f66eab2aac35a0b2817

SHA1
d89578047501d4e220de0a47872f1515117153a2

SHA256
c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8

SHA512
e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4

Download Submit
C:\Users\Public\xiaodaxzqxia\ma
Filesize
799KB

MD5
d66f3d98bb9260a2f25cb79fc43253d7

SHA1
74862b6db445959a9ef16a51b73c3dcedbe9be81

SHA256
64d9b2c4e4772ba2ee30f878aa0d006983b4de15764c8e7ddae74dc39611857c

SHA512
a830419304436966604f97022c9f938041196596f50864bee31ddda1d401e93e3f0494263652c8e3de277c81e6bb84eb20222efaea75c1af1ece374fe555b46c

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\jerryrat.exe
Filesize
101.8MB

MD5
bf1b730495a79f66eab2aac35a0b2817

SHA1
d89578047501d4e220de0a47872f1515117153a2

SHA256
c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8

SHA512
e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4

Download Submit
\Users\Public\xiaodaxzqxia\jerryrat.exe
Filesize
101.8MB

MD5
bf1b730495a79f66eab2aac35a0b2817

SHA1
d89578047501d4e220de0a47872f1515117153a2

SHA256
c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8

SHA512
e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/876-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1896-108-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/1976-82-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download