gh0strat | 19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe
Size

2.7MB
MD5

3ad1c9b351cf402836e4512afeb56a71
SHA1

5001db6ea8468270101dd2c2c87bcbe678bade47
SHA256

19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb
SHA512

652855f9543c13120d43e5739d262baaddcb0ca82ea15001e3ac49849baddd3ac46a10783d71815f0ae3220ff804ee472623e9a78a4af4932e3577180a684315
SSDEEP

24576:QCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHJ:QCwsbCANnKXferL7Vwe/Gg0P+Whm1gMl

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2748-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2748-25-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2668-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2904-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2904-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2904-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2904-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2748-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral1/memory/2748-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2748-25-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2668-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2904-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2904-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2904-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2904-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2748-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/files/0x000d000000012321-9.dat	family_gh0strat
behavioral1/files/0x000d000000012321-8.dat	family_gh0strat
behavioral1/files/0x000d000000012321-6.dat	family_gh0strat
behavioral1/files/0x000d000000012321-52.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259394188.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 5 IoCs

pid	Process
2472	R.exe
2748	N.exe
2668	TXPlatfor.exe
2904	TXPlatfor.exe
1064	Remote Data.exe

Loads dropped DLL 7 IoCs

pid	Process
3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe
2472	R.exe
2308	svchost.exe
3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe
2668	TXPlatfor.exe
2308	svchost.exe
1064	Remote Data.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2748-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2748-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2668-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2904-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2904-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2904-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2904-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2748-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2748-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259394188.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2556	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2904	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2748	N.exe
Token: SeLoadDriverPrivilege	2904	TXPlatfor.exe
Token: 33	2904	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2904	TXPlatfor.exe
Token: 33	2904	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2904	TXPlatfor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe
3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2472	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	25
PID 3052 wrote to memory of 2472	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	25
PID 3052 wrote to memory of 2472	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	25
PID 3052 wrote to memory of 2472	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	25
PID 3052 wrote to memory of 2748	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	23
PID 3052 wrote to memory of 2748	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	23
PID 3052 wrote to memory of 2748	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	23
PID 3052 wrote to memory of 2748	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	23
PID 3052 wrote to memory of 2748	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	23
PID 3052 wrote to memory of 2748	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	23
PID 3052 wrote to memory of 2748	3052	19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe	23
PID 2748 wrote to memory of 2804	2748	N.exe	22
PID 2748 wrote to memory of 2804	2748	N.exe	22
PID 2748 wrote to memory of 2804	2748	N.exe	22
PID 2748 wrote to memory of 2804	2748	N.exe	22
PID 2668 wrote to memory of 2904	2668	TXPlatfor.exe	21
PID 2668 wrote to memory of 2904	2668	TXPlatfor.exe	21
PID 2668 wrote to memory of 2904	2668	TXPlatfor.exe	21
PID 2668 wrote to memory of 2904	2668	TXPlatfor.exe	21
PID 2668 wrote to memory of 2904	2668	TXPlatfor.exe	21
PID 2668 wrote to memory of 2904	2668	TXPlatfor.exe	21
PID 2668 wrote to memory of 2904	2668	TXPlatfor.exe	21
PID 2804 wrote to memory of 2556	2804	cmd.exe	19
PID 2804 wrote to memory of 2556	2804	cmd.exe	19
PID 2804 wrote to memory of 2556	2804	cmd.exe	19
PID 2804 wrote to memory of 2556	2804	cmd.exe	19
PID 2308 wrote to memory of 1064	2308	svchost.exe	38
PID 2308 wrote to memory of 1064	2308	svchost.exe	38
PID 2308 wrote to memory of 1064	2308	svchost.exe	38
PID 2308 wrote to memory of 1064	2308	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe
"C:\Users\Admin\AppData\Local\Temp\19b6099de4bbf8b2da37723f682728a99b8b5d347fcc002dc0bdc408764a53fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2072

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
1⤵
- Runs ping.exe
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
1⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259394188.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
319KB

MD5
68c930fe0dc06db350eadd92006d74ed

SHA1
e7d5488fe6fb7c49f3e94d679a9289b6fee6e31a

SHA256
962ab1d477180a4a5ba5abeea24ad0f40f79a9ba9e317609eef15b306f3ee470

SHA512
06555a1699d0c3cfcff838b2d6a50ae6f1007f1d6a640de74509e243c97060731fe3221b2eb210c45c457e901330588a81a8d5061e1949a4212ab2ca026bcced

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
33KB

MD5
c0346c4cdd8a65b80411217d27e589fc

SHA1
3f703058675af5971fada8ec8bee9a3c546132a8

SHA256
7d4d740705fb8bdaa5cf45c0b09b4648c61b60fb3f082a8ce5b88eb633fa1de7

SHA512
f60f451b39019efe978d61c3f92ef191da6ecc1b246d9bb7090c9146f2a5a298f5b179d72bfbf7fb925bf2f5f19b1984e963777c875c295bbde0186a0b25686a

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
62KB

MD5
01601c2c04797b79224b42fad7821a6b

SHA1
c9442d52dc305a23fb4d7bfdc5c2497fa28a541f

SHA256
3a4209aca3f3a710ea00c22b7002f0ae136de0804cd288e0b8b8e7dc92467909

SHA512
c5ba8ae1c82fb7bb913d0e3f5f8e719053b1ac35146d82038e58129e353ea49cee9a69136bea31e22dfa5c689ede8b12a54781f032c562be7b74e5a74b93c1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe

Filesize
21KB

MD5
2c45ed10b4647fa81561af0b51b53113

SHA1
b91c4cde8a85f11e6ec3841ff69c7b28d655b392

SHA256
9576d47970b9a5d09867e789175b42786ae869b6e1f2e1db2dc1a457f6fec7d5

SHA512
2fbff956a5876caf40ef871a8fd3c809b2bc41373b785d6ea7924415b733f0f9d596c136c85830a46dbca1156fbabd10db49ab6b75aaeec54e1978cf419bc07c

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
32KB

MD5
eaae2a85ff5bdc15f81fe9f0675d4c29

SHA1
471c3c2e766ce2d4c7c45af5e377247e6424e25d

SHA256
5d7eea278b7af53af1129682db8e1e7d3074e0720d5463fca57de4a7bc0e09c9

SHA512
4cac4c4d80ecb3af8d1f135de4fb5fcc1450162c9c8d322aef4b2c64d7e8dc7d7947c8e59929c0c715d4a923212583ef34a438c8e4c09421db96c5816207a5a8

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
33KB

MD5
41080ccf504aa84c787c5e35cf4a0df6

SHA1
dd12305677c9c8aa3c386dcf0c7ada94e0374ec6

SHA256
e9059d5977615c3eb5f20f52cbe199a57c20f82357317db90f919c31227a8abf

SHA512
a7960b99e3fedf9239d8e703cc59e38b8129211e75e090cf4993988f4f654b7c545009498759b4ff43367512454718c6cb5acd2993a5f66e21e1e6fe6418c96d

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
20KB

MD5
85f3ef6768a2d484f790b7238c02c181

SHA1
4c3979914a6d7afe68e2df2da7127c014817f058

SHA256
fb434a21b502d33719d1a46e4044a40bc2524ccde4a591d8cf8b4196e5e01cdb

SHA512
763d3cd736d11fdcddb38358ae70d500460d26c2ba501648188ae93ff4a1ce2cec6c4f6aaccba225e7782803504c79e20aaf41b9a0b0f6906dad4480144661c4

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
5KB

MD5
71657d687ca515ab1b42d9995127b5a9

SHA1
f219ccd1abab3b1d3e01db9e376b828277ed95ed

SHA256
d807f97c96166b13dce003768bf2bcf06cd51b0e5de679e5848d59a1eb1e7808

SHA512
2f5479dc2f85ecf00f53e9febae25353e785b45e8bc3e9aa474b393d7782c4fc5b99481a82c505600b3a1caae6a83920b072320b57d8f99e3edac617cb86d2ea

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
1KB

MD5
1d154cde763e34c3f47dcd57ca3c85a1

SHA1
e210ce378aa42320629558480b2e6e8839166424

SHA256
cc1c1fc6773f9268327b7c7a6a3ac14242bde414deeae812ba03b7a18db53126

SHA512
4e0836020017a7435370f50154aeed24e3fbf9bfea220434d5dfafd4963915bcd05c2bf1500f26d08890fdc6ee31e4a3deb316d24229f4a7738b364237c9e73b

Download Submit
\??\c:\windows\SysWOW64\259394188.txt

Filesize
26KB

MD5
39a7d44bae846d5d6f19a082a87f2770

SHA1
c6ab2f6ab1b40bfa7974ce3a90e465955c78c45b

SHA256
79d6411e4fe506fb93428824ecbea562704254e7058e39a9213839dd35a9844c

SHA512
ad02aa9f93a8633aaf323e14fc2bac3f6f49e0017f72d5ae1ff5b1c9b10f96f15cd78a919c47078ab3cbc720dce334f671fc955f1871c6267f0fcec0577e6a7b

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
5KB

MD5
c5b101135a0f2bdc477fe820a8a03ad5

SHA1
9f72179350cc634589b41098f6db381ae7a9494d

SHA256
f9e823763a6abb4d7d7a9883a5ce77f71891a07aa704aff95cf16b07c5bd74a4

SHA512
17df7359afe460acefe312f6d17e4ee5386629c1ce9fc674e30c86bf8df1193e63e6a6b3fe11641c488d2a9e73feab0436d426d9a1150b8779840f12b159d997

Download Submit
\Windows\SysWOW64\259394188.txt

Filesize
1KB

MD5
bf123aaa27c21ba519bc707f92cb7abe

SHA1
43aefc882c2fae5b31bbd47ca923c86da010e38f

SHA256
fa41729572d2f7a2bc7a4b5e72145b39d9bad13b3485be085f06acfd773fce49

SHA512
6a8c11ed6e76d80a4421242fb90e84dd7f31e900e9e02b4297fd52d5f826548b535029da4b92ca246d968060fbd90f045f389a29c2dbe26cf6cc2442cbea0550

Download Submit
\Windows\SysWOW64\259394188.txt

Filesize
5KB

MD5
bf3244d01d5b29bb3e7a9160de6acada

SHA1
6dd6f143be98f9e500a04868d4749042247ca06c

SHA256
9608801b116337df060e5b31dadb2b8a5ebd32f963ecfd3dcff87bc104c7088f

SHA512
94312c116916c5007446fbbd244c4b0898a2cdd5b631313fc41b09caf04f7ce6cc80848da15da0806428183ff28d067a20f40de18c74fb0a43747b3c5e7af41f

Download Submit
\Windows\SysWOW64\259394188.txt

Filesize
33KB

MD5
de9763efb422b2a10bf0435a726aae8e

SHA1
ed5af4a3196a5ab7d5828acf77f0a704d6cd03fb

SHA256
044574862db51ddd525f346a5cc595fe095bbf5b1bf8ad18a113c21526c1f827

SHA512
0ac88e0e188696e87a208d69ddbaa00b82be94907151371d9869a0716db54cf849e4b1014b8195344d0316655ae2886a5a7af951d9888752e2d06e95f3fb3489

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
2KB

MD5
d7dd836d68a1c0fb4051a95dfd985005

SHA1
639d1317a18445616131eaaa48a2762c3917895a

SHA256
7d1e40942870f956189dce8e325b2bc08994c67beb2b03ae3f5b90e5811c9555

SHA512
e5978a48693687b712e3d7bb4498eaa0451e644802b6dae8bc013d6078fea067bcebdffeb29d0b0cd1ec2952f45955f2be822f3ff5a2ed346ab50752981074d7

Download Submit
memory/2668-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2748-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2748-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2748-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2748-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2904-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2904-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2904-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2904-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads