gh0strat | c6b1b984ea4cd7a1ac0c717afe91c3cc78bd2893f7e6a0ad661f7869d4289635 | Triage

Submit
Reports

Overview

overview

Static

static

1

test.msi

windows10-2004-x64

Resubmissions

23-05-2024 02:37

240523-c36v3aah3v 10

23-05-2024 02:32

240523-c1n78saf9v 6

Sharing

General

Target

test.msi
Size

2.1MB
Sample

240523-c36v3aah3v
MD5

bfd00224b00b9f6f07f424f75cff6836
SHA1

2bf889bcc9b413cec07925bac78610391faecaad
SHA256

c6b1b984ea4cd7a1ac0c717afe91c3cc78bd2893f7e6a0ad661f7869d4289635
SHA512

eab303bd75a18948c7d2e0572f7ffbc1f9165972ec06163bd7e7274b3b743103b3d160d0c1d5b4a0d92735f34f6f6c6a5b9ec6e9c7fbc33494eaf18f564dbd90
SSDEEP

49152:p5yULiNbhfDc7yEq9WRhd9Itc71hE7T8XX5UpAH7uidqFWV63hTI97qjfAj:e05q2t7vGA5bkWkRTI9qjY

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

test.msi

Resource

win10v2004-20240508-en

gh0strat purplefox discovery persistence rat rootkit spyware stealer trojan

windows10-2004-x64

35 signatures

150 seconds

Malware Config

Targets

- Target
  
  test.msi
- Size
  
  2.1MB
- MD5
  
  bfd00224b00b9f6f07f424f75cff6836
- SHA1
  
  2bf889bcc9b413cec07925bac78610391faecaad
- SHA256
  
  c6b1b984ea4cd7a1ac0c717afe91c3cc78bd2893f7e6a0ad661f7869d4289635
- SHA512
  
  eab303bd75a18948c7d2e0572f7ffbc1f9165972ec06163bd7e7274b3b743103b3d160d0c1d5b4a0d92735f34f6f6c6a5b9ec6e9c7fbc33494eaf18f564dbd90
- SSDEEP
  
  49152:p5yULiNbhfDc7yEq9WRhd9Itc71hE7T8XX5UpAH7uidqFWV63hTI97qjfAj:e05q2t7vGA5bkWkRTI9qjY
Score

10^/10

gh0strat purplefox discovery persistence rat rootkit spyware stealer trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Process Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratpurplefoxdiscoverypersistenceratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy