gh0strat | e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
Size

2.1MB
MD5

5683faaeb3d29dd77719fe69f0285d1e
SHA1

4d7da351f3eb2084b6864facad57d7c6e2679185
SHA256

e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4
SHA512

aa8a54b6a27141c7a2a2b6c3b0f30f43baf156d4e2acad7802d184572210bd24b8244420921a0146e6714cefab036f38d8a53e778292de4ef3245ac706dcecf0
SSDEEP

49152:ZQZAdVyVT9n/Gg0P+Whospe1VZPItx2apeapelI:KGdVyVT9nOgmhW1ItUvlI

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2032-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2032-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1816-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2032-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1816-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral1/memory/2032-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2032-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2032-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1816-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2724-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/files/0x0034000000015653-35.dat	family_gh0strat
behavioral1/files/0x0034000000015653-39.dat	family_gh0strat
behavioral1/files/0x0034000000015653-37.dat	family_gh0strat
behavioral1/memory/2032-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1816-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259401644.txt"	svchos.exe

Executes dropped EXE 6 IoCs

pid	Process
2032	svchost.exe
1816	TXPlatforn.exe
2280	svchos.exe
2724	TXPlatforn.exe
2440	HD_e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
2916	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 8 IoCs

pid	Process
3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
1816	TXPlatforn.exe
2280	svchos.exe
2588	svchost.exe
3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
2588	svchost.exe
2916	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2032-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2032-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2032-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1816-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2724-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2032-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1816-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\259401644.txt	svchos.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2576	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2032	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	28
PID 3000 wrote to memory of 2032	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	28
PID 3000 wrote to memory of 2032	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	28
PID 3000 wrote to memory of 2032	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	28
PID 3000 wrote to memory of 2032	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	28
PID 3000 wrote to memory of 2032	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	28
PID 3000 wrote to memory of 2032	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	28
PID 2032 wrote to memory of 2256	2032	svchost.exe	30
PID 2032 wrote to memory of 2256	2032	svchost.exe	30
PID 2032 wrote to memory of 2256	2032	svchost.exe	30
PID 2032 wrote to memory of 2256	2032	svchost.exe	30
PID 3000 wrote to memory of 2280	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	32
PID 3000 wrote to memory of 2280	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	32
PID 3000 wrote to memory of 2280	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	32
PID 3000 wrote to memory of 2280	3000	e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe	32
PID 1816 wrote to memory of 2724	1816	TXPlatforn.exe	33
PID 1816 wrote to memory of 2724	1816	TXPlatforn.exe	33
PID 1816 wrote to memory of 2724	1816	TXPlatforn.exe	33
PID 1816 wrote to memory of 2724	1816	TXPlatforn.exe	33
PID 1816 wrote to memory of 2724	1816	TXPlatforn.exe	33
PID 1816 wrote to memory of 2724	1816	TXPlatforn.exe	33
PID 1816 wrote to memory of 2724	1816	TXPlatforn.exe	33
PID 2256 wrote to memory of 2576	2256	cmd.exe	34
PID 2256 wrote to memory of 2576	2256	cmd.exe	34
PID 2256 wrote to memory of 2576	2256	cmd.exe	34
PID 2256 wrote to memory of 2576	2256	cmd.exe	34
PID 2588 wrote to memory of 2916	2588	svchost.exe	38
PID 2588 wrote to memory of 2916	2588	svchost.exe	38
PID 2588 wrote to memory of 2916	2588	svchost.exe	38
PID 2588 wrote to memory of 2916	2588	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
"C:\Users\Admin\AppData\Local\Temp\e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2576
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\HD_e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
  C:\Users\Admin\AppData\Local\Temp\HD_e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259401644.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
50KB

MD5
e8d4b732951d62fe307f6ebf94536139

SHA1
7e8a2da55658de8c88b3c8ada985b26ec67e7866

SHA256
f2ef37b6baffe6bcba4c950f0c6596bc2a8cc38574fc9e057d7f5b9b825bd69f

SHA512
a80a4de414335844d5c756af5b23740235556c79c3a195a9ff9b5373a5afae46a58696ea70d2dd56c9acba4d2a00b619e2fd045e886358a4f8a2e7fdf5928b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe

Filesize
1KB

MD5
8115b805608e0c0b599f9a7e4862c7e1

SHA1
e476afdf015b04842a3b5769635f611b0218f0af

SHA256
aef463c06ea4ff31ad50a6fdff60d68bd642ed8ac2e158c65a16656f6560d27e

SHA512
02f5f9da52a71b6fd32cc229c5bec58bfe089d077a4c22aa16aaaf464cbaefc3b940120c75758e8d4c7b8e866f850d41c3329078363558e5abd967c274882fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
86KB

MD5
cff4f25139c3a5b4a80a46620d600634

SHA1
c8f4d5e22c2eb9bd9ca8f44f7531779f276d96e7

SHA256
bb6dd5358906087347117cb7ca03f18e5a78c023ac8a7c118f42aa884f25eb98

SHA512
50835c1a44fdf3b415b774e9c2b009a51cb870cfc7b85f5af3d56025fee4f8b20b83e94461461b51254b4dccac425ed8f0b60fe19ed06dcb5c31e1f33296f2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
87KB

MD5
edf62132574631b5fb62f308a4a9e721

SHA1
15b893752b3134f879018fecc1b46a4ffa1a5675

SHA256
c60aba7785f1c9990a840c3d0c64e184b14678058e9bf620cde7a92c91b98ffb

SHA512
eecc8be95a67b26cf80d4c8c2e03d1782e47f6ed4db16c8921ee3201c76cb6c0e6b19a00926aa46ece96c3fe1012a3851a5c865b8b1cbe3ece8469def5c45b76

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe

Filesize
365KB

MD5
c25f42346c26c08e411089ce90012503

SHA1
2f5a7a10d91d867b2d690fa743f341ab71dcfd96

SHA256
3ce807be5915d3bf7b02f9916046df96aab6a12b0816dfbfaecc873a9cbbf6ae

SHA512
0f22b4703f49d5a1e60355fcd535c9c953a3fa819be5fbedd5a1bc9870088e78c044dcbab1518db50f04de3493e7193904d93ce01fd9762430c086e6ffe099de

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe

Filesize
145KB

MD5
5830496191747c00fe2aca5ed1f91e24

SHA1
5a207e3388afc65a0d202b100b55c027f894a865

SHA256
1e554943190294b5fdd8758b132df049ee95657c7457960e6275770d59e7316d

SHA512
f0067c3b2b2fa66def493d95dd933524f62e405a8b854ec8233a4a2a5d62626d11c36cf52b7777987afade89f6f6c1bfe0d03638c0e3e74c643b851b13cb73f0

Download Submit
\??\c:\windows\SysWOW64\259401644.txt

Filesize
50KB

MD5
3422e1835b07d9baaea9d1543066de7e

SHA1
bc99938471f0858e950a865b68cfcf503b845169

SHA256
290990ba78f602ae85facadd40367ab236a21ee5529881b581d8d84b5f43baf4

SHA512
a75bbd1b58c2cb137aee8a027605f2f37e1c6fa594e14795fbce006692b5cfed9a8a945517b1e192ef5de2ad7f93b896bf87d1032ed6f5ab5c7e7cdec832dbca

Download Submit
\Users\Admin\AppData\Local\Temp\HD_e9a131f8d3b49ed43e570fa88b5742c4f74af5fab208fddc40b27d08998296f4.exe

Filesize
30KB

MD5
3b8bc0a583dfaf9fa49ec7b0026b3895

SHA1
df3013a452f74071e47d1defd4f1464fa219fc28

SHA256
b580dac1f102781e10778f0334b909c41cd8944ea4f0263071ab8de70a82ac25

SHA512
ab617fc4f8a5fa68ce897ae1cf5ebbcff869e5434fffd1f203d435a4b93b5fafec6b833e21e38eb5dab72ee105e8b2ae156c11de221505bcf908a0f715e7652b

Download Submit
\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
64KB

MD5
8bbe952c173882205a4330190b15f2c7

SHA1
c3b1a4c135819dc7d2cb064f6b09b14de43f116e

SHA256
7c60c328b2fa904477947e1d5c525aa660d355b3351fa64711fe9c110151f26f

SHA512
9977410e915ab7f457506d0497e55ea97476fb944a1a4d439e801f6ef0bfb828186d0a4613c250c26b70902caf606d824ae70e1394176047539a6c5c28770e1a

Download Submit
\Windows\SysWOW64\259401644.txt

Filesize
36KB

MD5
d888389fcdc114b8ce9986eeee185b09

SHA1
6381792ad366406b00d973f8e40ea7a763b47884

SHA256
45c44e2c798403384fe057fddd2010b74fbfbef4b26e57939de431de0ed3ccb2

SHA512
6ab32ce3dfcbcf3b6a0138ab84c2d1f13eb99d853a1b2a8aae9b0d0b49a4ffdf081d7f8ea8d5c47a7accbdf06cdbca0a796eabe09f21cb540e172f0b3dd5daa5

Download Submit
\Windows\SysWOW64\259401644.txt

Filesize
25KB

MD5
118ab2d597355b93ffba1ddebef0cd3b

SHA1
0e8aa5f159f32a90a8f1ea9efa44024b40e06136

SHA256
6e7bee41aee40d70cb684873f682867e58deddec7abadb25ed7af88bf1541387

SHA512
a490a224769adac5dc6fd2dc21fa64a1e91939328cd1c9cd5510165f3436f718f6890a1f6f89a8052843901b938c9dd0097e39aa088429b2b44d2ef2bbda1ae2

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1816-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1816-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2724-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download