gh0strat | 5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb

General

Target

5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
Size

5.3MB
MD5

302637ac6d0cf20d45fe6663c835b961
SHA1

7f73c862014a3948784e2969645d12f624404c01
SHA256

5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb
SHA512

2928455bc86dd93e0587bb8b99047b87d75fc01c974b26bc7cf7de085c3b2f237078485d1388e2482b5020eeac58060d9d822556901a57a273775a7b3180d238
SSDEEP

98304:hGdVyVT9nOgmhNUty9VBEkPbN6XXR8yS6k7u4IUWKPGeJUty9VBEkP3YRz7xPNIt:eWT9nO73Uty9VBEkPhCXR8H7u5U1PtJ3

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/2200-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2200-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2200-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4816-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4816-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4816-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4816-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4860-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4860-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4860-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2200-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2200-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2200-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4816-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4816-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4816-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4860-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
C:\Windows\SysWOW64\240598093.txt	family_gh0strat
behavioral2/memory/4816-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4860-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4860-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4860-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 5 IoCs

Processes:

svchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

pid	process
2200	svchost.exe
4816	TXPlatforn.exe
624	svchos.exe
4860	TXPlatforn.exe
4432	HD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

Loads dropped DLL 1 IoCs

Processes:

svchos.exe

pid process

624 svchos.exe

pid	process
624	svchos.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2200-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2200-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2200-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2200-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4816-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4816-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4816-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4816-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4860-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4816-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4860-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4860-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4860-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

svchost.exesvchos.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240598093.txt	svchos.exe

Drops file in Program Files directory 5 IoCs

Processes:

5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2436 624 WerFault.exe svchos.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5024 PING.EXE

pid	pid_target	process	target process
2436	624	WerFault.exe	svchos.exe

pid	process
5024	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

pid	process
2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

4860 TXPlatforn.exe

pid	process
4860	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2200	svchost.exe
Token: SeLoadDriverPrivilege	4860	TXPlatforn.exe
Token: 33	4860	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4860	TXPlatforn.exe
Token: 33	4860	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4860	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

pid	process
2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exesvchost.exeTXPlatforn.execmd.exe

description	pid	process	target process
PID 2124 wrote to memory of 2200	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	svchost.exe
PID 2124 wrote to memory of 2200	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	svchost.exe
PID 2124 wrote to memory of 2200	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	svchost.exe
PID 2200 wrote to memory of 1036	2200	svchost.exe	cmd.exe
PID 2200 wrote to memory of 1036	2200	svchost.exe	cmd.exe
PID 2200 wrote to memory of 1036	2200	svchost.exe	cmd.exe
PID 2124 wrote to memory of 624	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	svchos.exe
PID 2124 wrote to memory of 624	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	svchos.exe
PID 2124 wrote to memory of 624	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	svchos.exe
PID 4816 wrote to memory of 4860	4816	TXPlatforn.exe	TXPlatforn.exe
PID 4816 wrote to memory of 4860	4816	TXPlatforn.exe	TXPlatforn.exe
PID 4816 wrote to memory of 4860	4816	TXPlatforn.exe	TXPlatforn.exe
PID 1036 wrote to memory of 5024	1036	cmd.exe	PING.EXE
PID 1036 wrote to memory of 5024	1036	cmd.exe	PING.EXE
PID 1036 wrote to memory of 5024	1036	cmd.exe	PING.EXE
PID 2124 wrote to memory of 4432	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	HD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
PID 2124 wrote to memory of 4432	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	HD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
PID 2124 wrote to memory of 4432	2124	5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe	HD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

C:\Users\Admin\AppData\Local\Temp\5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
"C:\Users\Admin\AppData\Local\Temp\5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:5024

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 452
3⤵
- Program crash
PID:2436

C:\Users\Admin\AppData\Local\Temp\HD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
C:\Users\Admin\AppData\Local\Temp\HD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe
2⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 624 -ip 624
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_5513ce49b50a085b736704f144d2b173ee50951c197878aa8378dceca029cedb.exe

Filesize
3.7MB

MD5
2ca13048809501b4096bbbaa6057d74e

SHA1
1b4d46c1158fdecca3fef34411fc3abacffda7a4

SHA256
b237c2de26a3d4d435068c93ff74e77ba66a62028f6ced58e416c5b7f1c9bcb5

SHA512
d20c544e5bd080c3d594ae0d35e874a4050b0c38aa6c1bf0769c6ca715bf3fc1fe37d42308386e192f942a7ae79d6e43f439ec2c609ea72c5462ef63e3f9ec8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.5MB

MD5
4eae6f394aa981542a565a2262a8a70c

SHA1
60362c4e6559a88ad480ae2a0ebdb0e192d09433

SHA256
50bd8f07425d307b0a02ef39c1a388426acfabba91f261868ca1d1527baf2c29

SHA512
45a8faf138e1e71d809d87a8bca39bc4b4b19d7d09731a663cb7ec9dc820caf5acffa0563e9b1e6fcf125e2c318b384d40db0a9b3b7b4323ab0eda3445ffe46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\240598093.txt

Filesize
50KB

MD5
9950e034f845119f7f1b76e44a646540

SHA1
64b5bd33c45ce97d4890b9d49834bd37f4d2d235

SHA256
82054955bca8cd023a4f145f1637e9efcbca5df8421baefd8850a3bd99b02eac

SHA512
dfe9c69c97f6811f44d261ebb06d22537c61b95fe8e7456ebb88e56cba561c2737000ad01bb5cfc98cbb3a0a99ccb10a38a7ea9ec3fb2165a99536a700c43710

Download Submit
memory/2200-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4816-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4816-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4816-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4816-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4816-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4860-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4860-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4860-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4860-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads