gh0strat | cefd197c5a15a875dbde2dcf61688063ed273c836489de08f0d74d2f7107798d | Triage

Submit
Reports

Overview

overview

Static

static

3

cefd197c5a...8d.exe

windows7-x64

cefd197c5a...8d.exe

windows10-2004-x64

Sharing

General

Target

cefd197c5a15a875dbde2dcf61688063ed273c836489de08f0d74d2f7107798d
Size

1.7MB
Sample

240526-eh7mzaeg89
MD5

c07a2bc1a2d015afa04a3b614bb75fac
SHA1

c45ebe7bdfdc15ca474ec4e04ead9b74954d3e97
SHA256

cefd197c5a15a875dbde2dcf61688063ed273c836489de08f0d74d2f7107798d
SHA512

00ceffd59612472f86783d688d1c2111a7c5650480028c1791c8a87bad085f108bd6fc547144a82a02d5c375b5c1e3bcef4e88d0b87e94b1d296068c8b999637
SSDEEP

24576:aQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVrYB:aQZAdVyVT9n/Gg0P+Who7

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

cefd197c5a15a875dbde2dcf61688063ed273c836489de08f0d74d2f7107798d.exe

Resource

win7-20240508-en

gh0strat purplefox persistence rat rootkit trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

cefd197c5a15a875dbde2dcf61688063ed273c836489de08f0d74d2f7107798d.exe

Resource

win10v2004-20240426-en

gh0strat purplefox persistence rat rootkit trojan upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  cefd197c5a15a875dbde2dcf61688063ed273c836489de08f0d74d2f7107798d
- Size
  
  1.7MB
- MD5
  
  c07a2bc1a2d015afa04a3b614bb75fac
- SHA1
  
  c45ebe7bdfdc15ca474ec4e04ead9b74954d3e97
- SHA256
  
  cefd197c5a15a875dbde2dcf61688063ed273c836489de08f0d74d2f7107798d
- SHA512
  
  00ceffd59612472f86783d688d1c2111a7c5650480028c1791c8a87bad085f108bd6fc547144a82a02d5c375b5c1e3bcef4e88d0b87e94b1d296068c8b999637
- SSDEEP
  
  24576:aQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVrYB:aQZAdVyVT9n/Gg0P+Who7
Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratpurplefoxpersistenceratrootkittrojanupx

behavioral2

gh0stratpurplefoxpersistenceratrootkittrojanupx

© 2018-2024

Terms | Privacy