gh0strat | 5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad

General

Target

5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe
Size

1.4MB
MD5

400644e43f796fb3c7c48dead2d5997e
SHA1

0afa85b6fcfdfff1f014240421d8af64106fad4a
SHA256

5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad
SHA512

7a6f14f52557c097431224f3169fb287e84b93ed6a68fb1bb0324dd7baba0e013a7d83d4015eee87e1c0170596e8594311d5d794f35f5b225c37c20411ca5455
SSDEEP

24576:wOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN6c:5HPkVOBTK6

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/1984-0-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral1/memory/2784-18-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1984-0-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral1/memory/2784-18-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	Pqiyq.exe
2784	Pqiyq.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	Pqiyq.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqiyq.exe	5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe
File opened for modification	C:\Windows\SysWOW64\Pqiyq.exe	5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2692	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1984	5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2732	1984	5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe	28
PID 1984 wrote to memory of 2732	1984	5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe	28
PID 1984 wrote to memory of 2732	1984	5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe	28
PID 1984 wrote to memory of 2732	1984	5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe	28
PID 2156 wrote to memory of 2784	2156	Pqiyq.exe	27
PID 2156 wrote to memory of 2784	2156	Pqiyq.exe	27
PID 2156 wrote to memory of 2784	2156	Pqiyq.exe	27
PID 2156 wrote to memory of 2784	2156	Pqiyq.exe	27
PID 2732 wrote to memory of 2692	2732	cmd.exe	26
PID 2732 wrote to memory of 2692	2732	cmd.exe	26
PID 2732 wrote to memory of 2692	2732	cmd.exe	26
PID 2732 wrote to memory of 2692	2732	cmd.exe	26

C:\Users\Admin\AppData\Local\Temp\5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe
"C:\Users\Admin\AppData\Local\Temp\5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\5B0F4B~1.EXE > nul
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2732

C:\Windows\SysWOW64\Pqiyq.exe
C:\Windows\SysWOW64\Pqiyq.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Pqiyq.exe
  C:\Windows\SysWOW64\Pqiyq.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2784

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
1⤵
- Runs ping.exe
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Pqiyq.exe

Filesize
73KB

MD5
3a43a53fb0e94f2b96c0ba277c8b517a

SHA1
6c825c5e10140152a984a9cfc5e941ac96d42108

SHA256
812c56992d7ccf4279d5a5d12695c88a67b004bcd3b106700a3197a486a3c017

SHA512
2c07787d0d764bf6a75de01b03be4d87ad7acd87ec0dd55174d8dc17d62e0c94c0194700c5a2566bf083ca91e6d66247c61b9d4c30a1b3e74de3049c2d1709ca

Download Submit
C:\Windows\SysWOW64\Pqiyq.exe

Filesize
22KB

MD5
a82f38668ef161bd31e492da0caa94c0

SHA1
3f32632024371261da90926d54823ab0b26e79b9

SHA256
73154b7ede91f942cc0fa6a3b677be47f3de1fa9eba859c29aa19613f1d0c91a

SHA512
fd52ecfd25ac10fda6048b9a5ddf00be5084fe93ae8377056fcc23c9cc42334607d491fe39f62cfb6a2d63700ef0edf608690d5894d1bb49ce90d2968dc6e6e3

Download Submit
C:\Windows\SysWOW64\Pqiyq.exe

Filesize
1KB

MD5
3a6aa495639fdfadbee08b1458937422

SHA1
3ae4e532898d06cb618ca6e73e2858f0898f5030

SHA256
21f62bfe54c7407197918876ffe55540f6da41071a5f1f64b07a73abbc17668e

SHA512
3aff5ac522a470ee516f7919daf0c3d2ddd3de2548ac581a9d0177170fd7905d8bed683c30bf00412f81e0a31674448a35ab5685292d0350c911c78113874509

Download Submit
\Windows\SysWOW64\Pqiyq.exe

Filesize
45KB

MD5
0bf37176de9486ac5af65dc1bec302a5

SHA1
7d18795753f71e6cd5a12c289ac2716bb853eafa

SHA256
9506ed6cae47c8082d6db9c88fa5363f64d0b508c72c36b37255c30d0e89a91b

SHA512
77975b9b142557bad47f70b88257ba86f9f06c405b6833887942b3f33a960a487ed26c3b49e3062dd120c51f03544e5932a6a57a4d0d958d493718ab3228ab35

Download Submit
memory/1984-0-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/2784-18-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing