gh0strat | 48510bebf306720ef131381ffac558d29d6794a382549f076f9aad1afc7fd587

General

Target

NA_NA_1bc9b02c777a32exeexe_JC.exe
Size

1.4MB
MD5

1bc9b02c777a32f8a050e9fef3b5da75
SHA1

9c275fd2361f8973256bf30cc4641f2bd06c017f
SHA256

48510bebf306720ef131381ffac558d29d6794a382549f076f9aad1afc7fd587
SHA512

8a2df0d93115b1b4bc9eeb389cdd4a29e44b6d6bcc372969d1dba12d94e4f849a2aa2038848ca524ac3a6edaabd919fc02aea699ea69252a3e0b5be582f332ad
SSDEEP

24576:r09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+/EBzkR/U:r09XJt4HIN2H2tFvduySpEd

Score

10^/10

gh0strat purplefox rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1640-62-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1640-63-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-62-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1640-63-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2408-71-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Executes dropped EXE 2 IoCs

Processes:

RVN.exeTXPlatforn.exe

pid process

1640 RVN.exe
2408 TXPlatforn.exe
Loads dropped DLL 1 IoCs

Processes:

NA_NA_1bc9b02c777a32exeexe_JC.exe

pid process

1712 NA_NA_1bc9b02c777a32exeexe_JC.exe

pid	process
1640	RVN.exe
2408	TXPlatforn.exe

pid	process
1712	NA_NA_1bc9b02c777a32exeexe_JC.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1640-59-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1640-62-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1640-63-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2408-71-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RVN.exe

description pid process

Token: SeIncBasePriorityPrivilege 1640 RVN.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NA_NA_1bc9b02c777a32exeexe_JC.exe

pid process

1712 NA_NA_1bc9b02c777a32exeexe_JC.exe
1712 NA_NA_1bc9b02c777a32exeexe_JC.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1640	RVN.exe

pid	process
1712	NA_NA_1bc9b02c777a32exeexe_JC.exe
1712	NA_NA_1bc9b02c777a32exeexe_JC.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

NA_NA_1bc9b02c777a32exeexe_JC.exe

description	pid	process	target process
PID 1712 wrote to memory of 1640	1712	NA_NA_1bc9b02c777a32exeexe_JC.exe	RVN.exe
PID 1712 wrote to memory of 1640	1712	NA_NA_1bc9b02c777a32exeexe_JC.exe	RVN.exe
PID 1712 wrote to memory of 1640	1712	NA_NA_1bc9b02c777a32exeexe_JC.exe	RVN.exe
PID 1712 wrote to memory of 1640	1712	NA_NA_1bc9b02c777a32exeexe_JC.exe	RVN.exe
PID 1712 wrote to memory of 1640	1712	NA_NA_1bc9b02c777a32exeexe_JC.exe	RVN.exe
PID 1712 wrote to memory of 1640	1712	NA_NA_1bc9b02c777a32exeexe_JC.exe	RVN.exe
PID 1712 wrote to memory of 1640	1712	NA_NA_1bc9b02c777a32exeexe_JC.exe	RVN.exe

C:\Users\Admin\AppData\Local\Temp\NA_NA_1bc9b02c777a32exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_1bc9b02c777a32exeexe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    PID:2500

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
PID:2408
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/1640-59-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1640-62-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1640-63-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2408-71-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads