gh0strat | b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135

General

Target

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
Size

2.9MB
MD5

fb9a3095c8c0e60fe211504f91687357
SHA1

4f2f99ed16fbf25afb8883cb30b472d4341c2fd9
SHA256

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135
SHA512

8ae90225a7b8a400711071ad3a864797e4fef042f1f15294000950f5a9e0a2bf723783415923044e25d0cda99e8884560d3e5433f28670ea85c2bce57e1540da
SSDEEP

49152:J09XJt4HIN2H2tFvduyS7Ydq5368ic36vPxeXGnNAoxrcYz9IF7m498+YJC9yCT2:qZJt4HINy2Lk7yf8ic36v4XkVxrcYz9N

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/2968-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2968-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2968-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2364-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2364-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2364-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2364-25-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3944-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3944-31-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3944-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3944-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2968-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2968-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2968-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2364-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2364-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2364-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2364-25-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3944-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3944-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3944-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3944-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

Processes:

RVN.exeTXPlatforn.exeHD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exeTXPlatforn.exe

pid process

2968 RVN.exe
2364 TXPlatforn.exe
1380 HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
3944 TXPlatforn.exe

pid	process
2968	RVN.exe
2364	TXPlatforn.exe
1380	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
3944	TXPlatforn.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2968-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2968-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2968-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2968-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2364-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2364-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2364-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2364-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2364-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3944-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3944-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3944-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3944-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 5 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4952 PING.EXE

pid	process
4952	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

pid	process
3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

3944 TXPlatforn.exe

pid	process
3944	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2968	RVN.exe
Token: SeLoadDriverPrivilege	3944	TXPlatforn.exe
Token: 33	3944	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3944	TXPlatforn.exe
Token: 33	3944	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3944	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

pid	process
3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exeRVN.execmd.exeTXPlatforn.exe

description	pid	process	target process
PID 3400 wrote to memory of 2968	3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 3400 wrote to memory of 2968	3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 3400 wrote to memory of 2968	3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	RVN.exe
PID 2968 wrote to memory of 3340	2968	RVN.exe	cmd.exe
PID 2968 wrote to memory of 3340	2968	RVN.exe	cmd.exe
PID 2968 wrote to memory of 3340	2968	RVN.exe	cmd.exe
PID 3340 wrote to memory of 4952	3340	cmd.exe	PING.EXE
PID 3340 wrote to memory of 4952	3340	cmd.exe	PING.EXE
PID 3340 wrote to memory of 4952	3340	cmd.exe	PING.EXE
PID 3400 wrote to memory of 1380	3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
PID 3400 wrote to memory of 1380	3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
PID 3400 wrote to memory of 1380	3400	b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe	HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
PID 2364 wrote to memory of 3944	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 3944	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 3944	2364	TXPlatforn.exe	TXPlatforn.exe

C:\Users\Admin\AppData\Local\Temp\b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
"C:\Users\Admin\AppData\Local\Temp\b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:4952

C:\Users\Admin\AppData\Local\Temp\HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
C:\Users\Admin\AppData\Local\Temp\HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
2⤵
- Executes dropped EXE
PID:1380

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.3MB

MD5
08404afce33fb3f15b8f900ffb9b7b1c

SHA1
ada90bfaee16a7282420704b1a99fcfa21392404

SHA256
b8e2ed59bcf1299ac6417570b583a4dd9f6a9dbae56462e9c263ea97f8717643

SHA512
c9aa66b8e7244cb2a0aac8632d58ab0441180fe3ac15b7bc8279858d6ad0c04b32c270d9c675a55e2f5bbc13ecaec5fdfc79518cf9af8fbda9d9982e68f4a617

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_b09e9f7fb63b79134d6f42bc4886fa7ef2ca1ecfcffb1a07e2a2a39e9cba8135.exe
Filesize
1.6MB

MD5
8c56774d965fee1c2a545f829397f886

SHA1
ad6296e781dc51f8b83482f348bde9cbedc5ff1c

SHA256
4d4346e5c731db7c49f99f2c161e71217d0db706e878c8de39bef69c40f1c7c3

SHA512
af731335ac62f62beef835ae67538b7a3e0bd9313e28e3d758ffc237a2037d48e8f1586f5140a260914dc0716d8f434a104804ec5a57ccd8235ccba663b79032

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXAC4D.tmp
Filesize
1.2MB

MD5
d6492b201890241296ca5af79f27c269

SHA1
a09dd998793a50b52781c22008f31cf54b9b0deb

SHA256
0942cfb890ddf36b05ddbe7bbfa440501a8e81c7c7c3107287e07f97a081bdc6

SHA512
eab03990d584efbdd1385efe32354d9027c8bdd3a3a4d85d24b04171792d7cba14be2ff863e802c585e1a2a8d78e3a63232ed53250cfe98e6b1b864d7b0b0ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\X.ico
Filesize
69KB

MD5
e33fb6d686b1a8b171349572c5a33f67

SHA1
29f24fe536adf799b69b63c83efadc1bce457a54

SHA256
020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

SHA512
cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

Download Submit
memory/2364-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2364-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2364-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2364-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2364-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2968-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2968-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2968-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2968-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3944-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3944-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3944-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3944-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads