Malware Analysis Report

2025-08-05 12:42

Sample ID 230829-b8fqdscc61
Target 6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305
SHA256 6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305
Tags
gh0strat purplefox persistence rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305

Threat Level: Known bad

The file 6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat

PurpleFox

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-29 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-29 01:48

Reported

2023-08-29 01:51

Platform

win7-20230824-en

Max time kernel

152s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meumn.exe = "C:\\Windows\\scvh0st.exe" C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\scvh0st.exe C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A
File opened for modification C:\Windows\scvh0st.exe C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe

"C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dubai-a01.sktone.club udp

Files

memory/2888-0-0x0000000010000000-0x00000000101AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-29 01:48

Reported

2023-08-29 01:51

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Meumn.exe = "C:\\Windows\\scvh0st.exe" C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\scvh0st.exe C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A
File created C:\Windows\scvh0st.exe C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe

"C:\Users\Admin\AppData\Local\Temp\6c3e03f52f5d51358eeecf2a477fbbf68d28737bed5bf24a28169b80f66c6305.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 dubai-a01.sktone.club udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 dubai-a01.sktone.club udp
US 8.8.8.8:53 dubai-a01.sktone.club udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 dubai-a01.sktone.club udp
US 8.8.8.8:53 dubai-a01.sktone.club udp

Files

memory/2820-0-0x0000000010000000-0x00000000101AB000-memory.dmp