gh0strat | b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135

General

Target

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
Size

2.9MB
MD5

fb9a3095c8c0e60fe211504f91687357
SHA1

4f2f99ed16fbf25afb8883cb30b472d4341c2fd9
SHA256

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135
SHA512

8ae90225a7b8a400711071ad3a864797e4fef042f1f15294000950f5a9e0a2bf723783415923044e25d0cda99e8884560d3e5433f28670ea85c2bce57e1540da
SSDEEP

49152:J09XJt4HIN2H2tFvduyS7Ydq5368ic36vPxeXGnNAoxrcYz9IF7m498+YJC9yCT2:qZJt4HINy2Lk7yf8ic36v4XkVxrcYz9N

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2632-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2632-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2632-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2608-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2988-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2988-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2988-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2988-54-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2988-71-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2632-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2632-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2632-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2608-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2988-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2988-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2988-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2988-54-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2988-71-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

pid process

2632 RVN.exe
2608 TXPlatforn.exe
2988 TXPlatforn.exe
2680 HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

pid	process
2632	RVN.exe
2608	TXPlatforn.exe
2988	TXPlatforn.exe
2680	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

Loads dropped DLL 3 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exeTXPlatforn.exe

pid	process
2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
2608	TXPlatforn.exe
2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2632-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2632-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2632-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2632-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2608-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2988-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2988-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2988-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2988-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2988-54-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2988-71-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2672 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

pid process

2316 b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2988 TXPlatforn.exe

pid	process
2672	PING.EXE

pid	process
2988	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2632	RVN.exe
Token: SeLoadDriverPrivilege	2988	TXPlatforn.exe
Token: 33	2988	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2988	TXPlatforn.exe
Token: 33	2988	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2988	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

pid	process
2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exeRVN.exeTXPlatforn.execmd.exe

description	pid	process	target process
PID 2316 wrote to memory of 2632	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2316 wrote to memory of 2632	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2316 wrote to memory of 2632	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2316 wrote to memory of 2632	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2316 wrote to memory of 2632	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2316 wrote to memory of 2632	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2316 wrote to memory of 2632	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2632 wrote to memory of 2572	2632	RVN.exe	cmd.exe
PID 2632 wrote to memory of 2572	2632	RVN.exe	cmd.exe
PID 2632 wrote to memory of 2572	2632	RVN.exe	cmd.exe
PID 2632 wrote to memory of 2572	2632	RVN.exe	cmd.exe
PID 2608 wrote to memory of 2988	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 2988	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 2988	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 2988	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 2988	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 2988	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 2988	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2316 wrote to memory of 2680	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
PID 2316 wrote to memory of 2680	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
PID 2316 wrote to memory of 2680	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
PID 2316 wrote to memory of 2680	2316	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
PID 2572 wrote to memory of 2672	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2672	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2672	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2672	2572	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
"C:\Users\Admin\AppData\Local\Temp\b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2672

C:\Users\Admin\AppData\Local\Temp\HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
C:\Users\Admin\AppData\Local\Temp\HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
08404afce33fb3f15b8f900ffb9b7b1c

SHA1
ada90bfaee16a7282420704b1a99fcfa21392404

SHA256
b8e2ed59bcf1299ac6417570b583a4dd9f6a9dbae56462e9c263ea97f8717643

SHA512
c9aa66b8e7244cb2a0aac8632d58ab0441180fe3ac15b7bc8279858d6ad0c04b32c270d9c675a55e2f5bbc13ecaec5fdfc79518cf9af8fbda9d9982e68f4a617

Download Submit
\Users\Admin\AppData\Local\Temp\HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

Filesize
1.6MB

MD5
8c56774d965fee1c2a545f829397f886

SHA1
ad6296e781dc51f8b83482f348bde9cbedc5ff1c

SHA256
4d4346e5c731db7c49f99f2c161e71217d0db706e878c8de39bef69c40f1c7c3

SHA512
af731335ac62f62beef835ae67538b7a3e0bd9313e28e3d758ffc237a2037d48e8f1586f5140a260914dc0716d8f434a104804ec5a57ccd8235ccba663b79032

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2608-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2632-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2632-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2632-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2632-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2988-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2988-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2988-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2988-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2988-54-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2988-71-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads