gh0strat | c9796e1f0f01e7a5b8cf935f7e7791a0404896b5b163d5e683466476a026674f | Triage

Sharing

General

Target

c9796e1f0f01e7a5b8cf935f7e7791a0404896b5b163d5e683466476a026674f
Size

2.0MB
Sample

230815-f69ynsah9v
MD5

7415b196485ef546cc820b6e712ecc87
SHA1

63883b4670d0a1d0a0d1909f9fbc553bda5b43b5
SHA256

c9796e1f0f01e7a5b8cf935f7e7791a0404896b5b163d5e683466476a026674f
SHA512

2fe69624187139d10db887fa420b705ccd01c4600bac5f17c7d5ba0a5f88b5c572d203283b2ee006c8e14c1735d663596cfaf41fa9332733c8c742a3753d3828
SSDEEP

49152:8LmrcalR0trlTCemikUugo8ttijutK8BTlp8nf4uuFbq9l/bh+y+qRCKDUQUO:8Lmrcg0trlTRv9uyfijuE8Bpp8nfvebM

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Targets

- Target
  
  2000xlsx.exe
- Size
  
  2.3MB
- MD5
  
  efb770307d1ad984b1ce99d495955d33
- SHA1
  
  045043140c84837ee2eb60afeed3c32499ab5343
- SHA256
  
  64f12cbef2b73d7fd8cbcb9260c77d94db1761964031b1e9c78cacf7a3b6b666
- SHA512
  
  cca246cf661520082974be53dfd8263876dd343efa0999bc8ae5e268158a329e2b29e73a9429f83aaa603592f1de4fd7632be838b65e44447ed3e1d1961cbcad
- SSDEEP
  
  49152:Av4ZPcazR0Djlbk6YiiUSeyleOU0oYTxReVjGKCodEfDTQsvD/DX+y4onCYDoD5:HZPcK0DjlbfH1STlefqReVjGJodErTQ1
Score

10^/10

gh0strat purplefox rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  500.xls
- Size
  
  39KB
- MD5
  
  5c612525671c64c49e8eecf1ffc4b3fe
- SHA1
  
  2f30d4395ea2ad16e7a9f74bdb202b5e37b64532
- SHA256
  
  4d668686bd651cbff85549ccb2a301349ffa36f2167d254468a0bfc9d64943a5
- SHA512
  
  70180ef400920783dbf39f2985ca373cac11c9e79890d5b1600a2793aff473d039c0a631c7230e4e28fc3e6877d45290f4cb6b3be380e186495b513446bc1016
- SSDEEP
  
  768:VCCCkRQS4zTbQleoPE8KI0fXb/0T7Eusxu3EfeH8wmoNWBIeRw6x65:VCCCkRQS4zTbQleoPE8KI0fXba7EuqfQ
Score

1^/10
behavioral3 behavioral4
- Target
  
  800个.xlsx
- Size
  
  20KB
- MD5
  
  fc03c4c5d61b219794956b5690cf9731
- SHA1
  
  3e8aaf112c7c110424a15b1ccb7455d7e4f75be1
- SHA256
  
  648e715364b9792dc4b73cfd1113983bfd39b78077b13bd14d3ebbe5713c08b9
- SHA512
  
  dd6b9022f8d099377bf20a033b045e5b604c8815c8c8004eacdb7aefcc61cf2cb7bf705ca57eb91a7eabaabe7ee6cd8f0de2821d1b3d27879bd56cc72837aad6
- SSDEEP
  
  384:J8L6eit9kTCrYONMM0mPnvXo0RhYvwAv5PVPZykFO5KLAaWM/wbID:CL6eizkTC0OPXo0RhYvxPVPAkQPaWMow
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpurplefoxratrootkittrojan

behavioral3

behavioral4

behavioral5

behavioral6