gh0strat | fd6eb81590d22d47002590865955daa2ed559be1e9805099c59f5cb74a788c58

General

Target

WPS_Installer_.exe
Size

4.1MB
MD5

6e2cde27cf0f6d43d92687a13aef3980
SHA1

c35a49b96c283ed47e1d80153b76dffc5d296286
SHA256

fd6eb81590d22d47002590865955daa2ed559be1e9805099c59f5cb74a788c58
SHA512

3a735cd61335547a11d6290ad34f3be7c012f6020dc991ccfd733e46e747ac36649a07b5cbfbf9fadf7d357adb93d2520de46fe3193e8df27645121011d55f22
SSDEEP

98304:QSBIC1oZLORr1CjckI7d3bajae4Q+65q49HwWkFoLE3L:5CfONJTOuFQq45WKL6

Score

10^/10

gh0strat purplefox bootkit persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/4348-31-0x0000000010000000-0x0000000010199000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4348-31-0x0000000010000000-0x0000000010199000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Executes dropped EXE 2 IoCs

Processes:

WPS_Installer.exedahai.exe

pid process

4584 WPS_Installer.exe
4348 dahai.exe

pid	process
4584	WPS_Installer.exe
4348	dahai.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4304-0-0x0000000000400000-0x000000000050A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe	upx
C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe	upx
C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe	upx
behavioral2/memory/4584-18-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4304-22-0x0000000000400000-0x000000000050A000-memory.dmp	upx
behavioral2/memory/4584-28-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-30-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-39-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-40-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-41-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-45-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-64-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-65-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-66-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-67-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-68-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-69-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-70-0x00000000003F0000-0x0000000000993000-memory.dmp	upx
behavioral2/memory/4584-71-0x00000000003F0000-0x0000000000993000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dahai.exe

description	ioc	process
File opened (read-only)	\??\E:	dahai.exe
File opened (read-only)	\??\N:	dahai.exe
File opened (read-only)	\??\P:	dahai.exe
File opened (read-only)	\??\T:	dahai.exe
File opened (read-only)	\??\U:	dahai.exe
File opened (read-only)	\??\Y:	dahai.exe
File opened (read-only)	\??\B:	dahai.exe
File opened (read-only)	\??\K:	dahai.exe
File opened (read-only)	\??\R:	dahai.exe
File opened (read-only)	\??\M:	dahai.exe
File opened (read-only)	\??\S:	dahai.exe
File opened (read-only)	\??\W:	dahai.exe
File opened (read-only)	\??\X:	dahai.exe
File opened (read-only)	\??\Z:	dahai.exe
File opened (read-only)	\??\H:	dahai.exe
File opened (read-only)	\??\J:	dahai.exe
File opened (read-only)	\??\L:	dahai.exe
File opened (read-only)	\??\Q:	dahai.exe
File opened (read-only)	\??\V:	dahai.exe
File opened (read-only)	\??\G:	dahai.exe
File opened (read-only)	\??\I:	dahai.exe
File opened (read-only)	\??\O:	dahai.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

WPS_Installer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 WPS_Installer.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WPS_Installer.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4304-22-0x0000000000400000-0x000000000050A000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WPS_Installer_.exeWPS_Installer.exedahai.exe

pid	process
4304	WPS_Installer_.exe
4304	WPS_Installer_.exe
4304	WPS_Installer_.exe
4304	WPS_Installer_.exe
4584	WPS_Installer.exe
4584	WPS_Installer.exe
4584	WPS_Installer.exe
4584	WPS_Installer.exe
4584	WPS_Installer.exe
4584	WPS_Installer.exe
4584	WPS_Installer.exe
4584	WPS_Installer.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe
4348	dahai.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dahai.exe

pid process

4348 dahai.exe

pid	process
4348	dahai.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WPS_Installer_.exe

description	pid	process	target process
PID 4304 wrote to memory of 4584	4304	WPS_Installer_.exe	WPS_Installer.exe
PID 4304 wrote to memory of 4584	4304	WPS_Installer_.exe	WPS_Installer.exe
PID 4304 wrote to memory of 4584	4304	WPS_Installer_.exe	WPS_Installer.exe
PID 4304 wrote to memory of 4348	4304	WPS_Installer_.exe	dahai.exe
PID 4304 wrote to memory of 4348	4304	WPS_Installer_.exe	dahai.exe
PID 4304 wrote to memory of 4348	4304	WPS_Installer_.exe	dahai.exe

C:\Users\Admin\AppData\Local\Temp\WPS_Installer_.exe
"C:\Users\Admin\AppData\Local\Temp\WPS_Installer_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Users\Admin\AppData\Local\Temp\dahaima\dahai.exe
"C:\Users\Admin\AppData\Local\Temp\dahaima\dahai.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahaima\dahai.exe

Filesize
1.6MB

MD5
174895d7e1a751397f161a785fb1b355

SHA1
27a56118d233adc9adcaaad95bedb0c8862c5277

SHA256
2609445b23bf24267c6c5b597d78a8cfedecde62fb5c567436829ecbce95d743

SHA512
2e9d5b7d247c9c2b3c38c4aecad08e217e2de7e3042c3eb67fb40e49c87c1709eeaec93119bbf4ea17464a75e8d1191795afbedc4f6bb62418a7619489df4d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\dahaima\dahai.exe

Filesize
1.6MB

MD5
174895d7e1a751397f161a785fb1b355

SHA1
27a56118d233adc9adcaaad95bedb0c8862c5277

SHA256
2609445b23bf24267c6c5b597d78a8cfedecde62fb5c567436829ecbce95d743

SHA512
2e9d5b7d247c9c2b3c38c4aecad08e217e2de7e3042c3eb67fb40e49c87c1709eeaec93119bbf4ea17464a75e8d1191795afbedc4f6bb62418a7619489df4d75

Download Submit
memory/4304-0-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4304-22-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4348-31-0x0000000010000000-0x0000000010199000-memory.dmp

Filesize
1.6MB

Download
memory/4584-18-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-64-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-28-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-39-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-40-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-41-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-45-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-30-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-65-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-66-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-67-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-68-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-69-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-70-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download
memory/4584-71-0x00000000003F0000-0x0000000000993000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads