gh0strat | 23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64

General

Target

23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
Size

1.7MB
MD5

a1ddbea99afa3ef646682936931a53b6
SHA1

9185ca5710c7a491b2a9bd69826b029fe09edd63
SHA256

23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64
SHA512

694b70caefe99fc2a94e8935d3d58d7042c0201cdb50e18c3d62fa224a27f512be2c8b6bde539c069c21d53d81f7ae4098b9784f894cab586ac53b8fa0089e33
SSDEEP

24576:2OG2DRnVNPIzjXNqcmP8/meiNClX1cpVrtIGCuh8iq4SxIaKMfC17G2iqy+gsEQk:2uNPOrkNE/meiolqRtxh1g/fCQale+Hu

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2556-8766-0x0000000000400000-0x0000000000684000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2556-8766-0x0000000000400000-0x0000000000684000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

description	ioc	process
File opened (read-only)	\??\U:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\X:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\Y:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\B:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\G:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\J:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\N:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\P:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\Z:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\T:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\W:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\H:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\K:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\L:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\O:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\S:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\E:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\M:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\V:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\I:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\Q:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
File opened (read-only)	\??\R:	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

Processes:

23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

pid	process
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

pid	process
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

description	pid	process
Token: 33	2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
Token: SeIncBasePriorityPrivilege	2556	23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe

C:\Users\Admin\AppData\Local\Temp\23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe
"C:\Users\Admin\AppData\Local\Temp\23b9e1f97e06b904b3f2bac19f59d1ac1c33ab06733ac2e5c1115225a6cfcc64.exe"
1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2556-54-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2556-55-0x0000000076E10000-0x0000000076E57000-memory.dmp

Filesize
284KB

Download
memory/2556-868-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-866-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-865-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-870-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-872-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-876-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-874-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-878-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-880-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-884-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-882-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-888-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-886-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-890-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-894-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-892-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-898-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-896-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-900-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-902-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-904-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-906-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-908-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-910-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-914-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-912-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-916-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-918-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-922-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-920-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-924-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-926-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-2601-0x0000000002000000-0x0000000002100000-memory.dmp

Filesize
1024KB

Download
memory/2556-2602-0x0000000002330000-0x00000000024B1000-memory.dmp

Filesize
1.5MB

Download
memory/2556-4378-0x0000000002000000-0x0000000002100000-memory.dmp

Filesize
1024KB

Download
memory/2556-8742-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/2556-8747-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2556-8766-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads