gh0strat | ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df

General

Target

ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe
Size

1.3MB
MD5

d7384ee609eb1a92b94523787c17614d
SHA1

6eb7a157ee0ebae281f50a5b6f6cc7598f0d7f56
SHA256

ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df
SHA512

dfbaabeb0f3692d8e83f3eca45aab97c51c1b53290a10bdfea638702872fab8340d60c961346e8676d172590ba2216ae6d4f26f5ac2f1bd9f6fa72d029312cd0
SSDEEP

24576:9OyHutimZ9VSly2hVvHW6qMnSbTBBhBMNvFyzhyz:wHPkVOBTK

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/1632-0-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1632-0-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Vnfvn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Vnfvn.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	Vnfvn.exe
3044	Vnfvn.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	Vnfvn.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Vnfvn.exe	ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe
File opened for modification	C:\Windows\SysWOW64\Vnfvn.exe	ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2160	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3044	Vnfvn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1632	ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe
Token: SeLoadDriverPrivilege	3044	Vnfvn.exe
Token: 33	3044	Vnfvn.exe
Token: SeIncBasePriorityPrivilege	3044	Vnfvn.exe
Token: 33	3044	Vnfvn.exe
Token: SeIncBasePriorityPrivilege	3044	Vnfvn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3024	1632	ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe	29
PID 1632 wrote to memory of 3024	1632	ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe	29
PID 1632 wrote to memory of 3024	1632	ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe	29
PID 1632 wrote to memory of 3024	1632	ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe	29
PID 2524 wrote to memory of 3044	2524	Vnfvn.exe	31
PID 2524 wrote to memory of 3044	2524	Vnfvn.exe	31
PID 2524 wrote to memory of 3044	2524	Vnfvn.exe	31
PID 2524 wrote to memory of 3044	2524	Vnfvn.exe	31
PID 3024 wrote to memory of 2160	3024	cmd.exe	30
PID 3024 wrote to memory of 2160	3024	cmd.exe	30
PID 3024 wrote to memory of 2160	3024	cmd.exe	30
PID 3024 wrote to memory of 2160	3024	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe
"C:\Users\Admin\AppData\Local\Temp\ade7d77bea75470f2b172b27ffcb8d3ae43eefd1de981cb4d9a01b7f2cee46df.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\ADE7D7~1.EXE > nul
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2160

C:\Windows\SysWOW64\Vnfvn.exe
C:\Windows\SysWOW64\Vnfvn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Vnfvn.exe
  C:\Windows\SysWOW64\Vnfvn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Vnfvn.exe

Filesize
145KB

MD5
6d0faeb83423866d10960bd295540873

SHA1
47c27baf0625fef125b6b1860287e6b19123952c

SHA256
1a46caa04eab6c54dea8c0b244a101b3c08eb5b58c24d255e9499fc3df8c2c47

SHA512
ecfa8cbf5593403695dae32e2f57bda449ece7839814a852c939ab2c64c85e368e1a179195ad4d53c8ed6b63b6850a8c47e072eb517fde4d754d7d57faa7bc6d

Download Submit
C:\Windows\SysWOW64\Vnfvn.exe

Filesize
135KB

MD5
3af8c2d09fa02f4311e96789fc53279e

SHA1
eb8207df7c41ab76db2e3fe79c55cea586ed6b0e

SHA256
65d28556ed683eea673dedef2830aafa395ac6e9ded26668a48c4c7489260d93

SHA512
0e58f6f836058ae19f18fb202a8fb972c4ed3b24396950a9cded339ae0012d1df5de6e6a75178792090bdd01a6a97fec14e4847e5b0ef441ab58a427169ee43a

Download Submit
C:\Windows\SysWOW64\Vnfvn.exe

Filesize
251KB

MD5
96706e9dce7ff4640c330c152bd38b87

SHA1
f22bdb71c9088b5bb2e15989194ee2c2180411ce

SHA256
380ab3a36ca12181315c815709d7460bf7e379590682eb20d004d1b9f8b5594b

SHA512
3209ff547f25d3ebb3da41e8475e9d0fc12cbe2071aa7d23c9492465b859a838e464673ef03c00026548564d98922fbfebe59e21866381eec9c3f172458a2b42

Download Submit
\Windows\SysWOW64\Vnfvn.exe

Filesize
110KB

MD5
748c9d0af682bbb9125c3260a49c6d01

SHA1
01c24383980d44e34ae3bae7b338a0e8c9369905

SHA256
6e1bbab6f68b1c082e20bbd3335f05d8bd9215062ed71581c1b0dba09eca04f8

SHA512
1c8f85adf7af94793b6f6385389ac3413e70bebdbbace51ba5a45f8ab70c7a495463f59482ecb154603903398e1693c6673df4a310cb5e108113c8f7b76fc008

Download Submit
memory/1632-0-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads