gh0strat | d47972b8b326f480e54ad028eeffc792c38e1fbec7a94583a18a79e4666d3287 | Triage

Submit
Reports

Overview

overview

Static

static

3

d47972b8b3...87.exe

windows7-x64

d47972b8b3...87.exe

windows10-2004-x64

Sharing

General

Target

d47972b8b326f480e54ad028eeffc792c38e1fbec7a94583a18a79e4666d3287
Size

4.7MB
Sample

231011-f6d61abh7s
MD5

eaa82730e762d30e490528fc23c5739c
SHA1

76b9d99d8812a58ab0d102558699acf21fa2ca17
SHA256

d47972b8b326f480e54ad028eeffc792c38e1fbec7a94583a18a79e4666d3287
SHA512

c1438c8e448deb6c829ff327e41a0ff5a97fdf2706b069d017fd3624ecdaf30ab51cde7d6554a7de7c787342db8ecb55a230c761b690b2a7911e930187f2220a
SSDEEP

49152:TQZAdVyVT9n/Gg0P+WhoXvyn2vbXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHCr:UGdVyVT9nOgmhovyn2vbXsPN5kiQaZ56

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d47972b8b326f480e54ad028eeffc792c38e1fbec7a94583a18a79e4666d3287.exe

Resource

win7-20230831-en

gh0strat purplefox persistence rat rootkit trojan upx

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

d47972b8b326f480e54ad028eeffc792c38e1fbec7a94583a18a79e4666d3287.exe

Resource

win10v2004-20230915-en

gh0strat purplefox rat rootkit trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  d47972b8b326f480e54ad028eeffc792c38e1fbec7a94583a18a79e4666d3287
- Size
  
  4.7MB
- MD5
  
  eaa82730e762d30e490528fc23c5739c
- SHA1
  
  76b9d99d8812a58ab0d102558699acf21fa2ca17
- SHA256
  
  d47972b8b326f480e54ad028eeffc792c38e1fbec7a94583a18a79e4666d3287
- SHA512
  
  c1438c8e448deb6c829ff327e41a0ff5a97fdf2706b069d017fd3624ecdaf30ab51cde7d6554a7de7c787342db8ecb55a230c761b690b2a7911e930187f2220a
- SSDEEP
  
  49152:TQZAdVyVT9n/Gg0P+WhoXvyn2vbXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHCr:UGdVyVT9nOgmhovyn2vbXsPN5kiQaZ56
Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxpersistenceratrootkittrojanupx

behavioral2

gh0stratpurplefoxratrootkittrojanupx

© 2018-2025

Terms | Privacy