gh0strat | 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32

General

Target

8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
Size

1.6MB
MD5

977835f800411f890e27df62a3007aa0
SHA1

f36c6f5f2710b1b9768e2c4cbbca436128a32069
SHA256

8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32
SHA512

0c3b80efb020b548d3ee48cdac5892df25840c3542429c140366abe08f9e2036ce0c80caa01f6e1995451cce4d0647cc011f187519c9b0b86d58032807b98354
SSDEEP

24576:NYAyyzawhZvk90l7RNbBOUHJYTUgESji6ywZFa6tIbJNS7q+SnqTlsKBxgCrl:NBuwhlyJuYTUgEYifwNW9Y2DKNB3

Score

10^/10

gh0strat purplefox rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 14 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/3708-4-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/3708-6-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/3708-3-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/3708-7-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4572-18-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4572-19-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4572-25-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4572-17-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4572-16-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4572-15-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4884-30-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4884-29-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4884-31-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit
behavioral2/memory/4884-28-0x0000000010000000-0x00000000101D0000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-4-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/3708-6-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/3708-3-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/3708-7-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4572-18-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4572-19-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4572-25-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4572-17-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4572-16-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4572-15-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4884-30-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4884-29-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4884-31-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat
behavioral2/memory/4884-28-0x0000000010000000-0x00000000101D0000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Executes dropped EXE 2 IoCs

Processes:

Aqrjk.exeAqrjk.exe

pid process

4572 Aqrjk.exe
4884 Aqrjk.exe

pid	process
4572	Aqrjk.exe
4884	Aqrjk.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3708-4-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/3708-6-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/3708-3-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/3708-1-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/3708-7-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4572-13-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4572-18-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4572-19-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4572-25-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4572-17-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4572-16-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4572-15-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4884-30-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4884-29-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4884-31-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4884-28-0x0000000010000000-0x00000000101D0000-memory.dmp	upx
behavioral2/memory/4884-26-0x0000000010000000-0x00000000101D0000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

Processes:

8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exeAqrjk.exeAqrjk.exe

pid	process
3708	8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
4572	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe
4884	Aqrjk.exe

Drops file in Program Files directory 2 IoCs

Processes:

8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe

description	ioc	process
File created	C:\Program Files\Aqrjk.exe	8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
File opened for modification	C:\Program Files\Aqrjk.exe	8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2372 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe

description pid process

Token: SeIncBasePriorityPrivilege 3708 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exeAqrjk.exeAqrjk.exe

pid process

3708 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
4572 Aqrjk.exe
4884 Aqrjk.exe

pid	process
2372	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3708	8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exeAqrjk.execmd.exe

description	pid	process	target process
PID 3708 wrote to memory of 3548	3708	8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe	cmd.exe
PID 3708 wrote to memory of 3548	3708	8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe	cmd.exe
PID 3708 wrote to memory of 3548	3708	8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe	cmd.exe
PID 4572 wrote to memory of 4884	4572	Aqrjk.exe	Aqrjk.exe
PID 4572 wrote to memory of 4884	4572	Aqrjk.exe	Aqrjk.exe
PID 4572 wrote to memory of 4884	4572	Aqrjk.exe	Aqrjk.exe
PID 3548 wrote to memory of 2372	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 2372	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 2372	3548	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
"C:\Users\Admin\AppData\Local\Temp\8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\8330F8~1.EXE > nul
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2372

C:\Program Files\Aqrjk.exe
"C:\\Program Files\\Aqrjk.exe" -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572

C:\Program Files\Aqrjk.exe
"C:\Program Files\Aqrjk.exe" -acsi
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Aqrjk.exe
Filesize
1.6MB

MD5
977835f800411f890e27df62a3007aa0

SHA1
f36c6f5f2710b1b9768e2c4cbbca436128a32069

SHA256
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32

SHA512
0c3b80efb020b548d3ee48cdac5892df25840c3542429c140366abe08f9e2036ce0c80caa01f6e1995451cce4d0647cc011f187519c9b0b86d58032807b98354

Download Submit
memory/3708-20-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/3708-4-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/3708-6-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/3708-3-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/3708-1-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/3708-7-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/3708-0-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4572-13-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-18-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-19-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-15-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-25-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-24-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4572-12-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4572-17-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-16-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-30-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-39-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-29-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-31-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-28-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-26-0x0000000010000000-0x00000000101D0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-34-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-35-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-36-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-37-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-38-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-22-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-40-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-41-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-42-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-43-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-44-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-45-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-46-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-47-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/4884-48-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads