gh0strat

General

Target

pleg.zip
Size

122.9MB
Sample

230815-tn5swsbg58
MD5

9fa65e4744953f8863f8ecd59b0043f3
SHA1

7ce01b3a3f9d942fbb29c09456162a4c679e05bc
SHA256

8857e1127d2d06b194a0b7767a648b1f125984fd7b575a59d328a50f498c3695
SHA512

6c519ffa890391479793582e96782aeb09dbf709662b9b31a70e755e066db71716d35abe2d69881eb9712097b2514e6d99df4cbe3cf94c8d7c3aebc328199be1
SSDEEP

3145728:EKlxbiwxzfmBibpn5e42h/r3w2cIDwppwDBe3oEbd7:EkIii42h/r3r1uwgZ7

Score

10^/10

Malware Config

Extracted

Family

xorddos

Attributes

crc_polynomial
EDB88320

Targets

- Target
  
  pleg.zip
- Size
  
  122.9MB
- MD5
  
  9fa65e4744953f8863f8ecd59b0043f3
- SHA1
  
  7ce01b3a3f9d942fbb29c09456162a4c679e05bc
- SHA256
  
  8857e1127d2d06b194a0b7767a648b1f125984fd7b575a59d328a50f498c3695
- SHA512
  
  6c519ffa890391479793582e96782aeb09dbf709662b9b31a70e755e066db71716d35abe2d69881eb9712097b2514e6d99df4cbe3cf94c8d7c3aebc328199be1
- SSDEEP
  
  3145728:EKlxbiwxzfmBibpn5e42h/r3w2cIDwppwDBe3oEbd7:EkIii42h/r3r1uwgZ7
Score

10^/10

gh0strat mimikatz purplefox xorddos botnet cryptone downloader packer rat rootkit trojan upx vmprotect
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- mimikatz is an open source tool to dump credentials on Windows
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detect PurpleFox Rootkit

Gh0st RAT payload

Mimikatz

PurpleFox

XorDDoS

XorDDoS payload

CryptOne packer

mimikatz is an open source tool to dump credentials on Windows

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

UPX packed file

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3