gh0strat | 889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870

General

Target

889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
Size

7.5MB
MD5

29648d223d8f4fee4dc091f0da973130
SHA1

61a96f165a03c1b7d9e530a2a2dbc139f34f0ab1
SHA256

889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870
SHA512

805763b5d167641980a1ca7fb43513996750b3ad607f9f1b028038add47a7b5c7a7e6059d73507ca9b3f6a7636280d093178b7fb31d29861f152c6a31f6c041c
SSDEEP

196608:miINy2Lka6I+sbljs3XTx2+kr/U1fI+ZEP+:pInljs0tapZN

Score

10^/10

gh0strat purplefox oss_ak persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/5036-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/5036-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/5036-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3328-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3328-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3328-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3328-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1240-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1240-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1240-31-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1240-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5036-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/5036-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/5036-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3328-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3328-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3328-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3328-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1240-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1240-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1240-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1240-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe	detect_ak_stuff

Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

pid process

5036 RVN.exe
3328 TXPlatforn.exe
1240 TXPlatforn.exe
2364 HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

pid	process
5036	RVN.exe
3328	TXPlatforn.exe
1240	TXPlatforn.exe
2364	HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5036-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5036-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5036-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5036-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3328-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3328-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3328-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3328-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3328-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1240-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1240-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1240-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1240-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 5 IoCs

Processes:

889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2868 PING.EXE

pid	process
2868	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exeHD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

pid	process
1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
2364	HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
2364	HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

1240 TXPlatforn.exe

pid	process
1240	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RVN.exeTXPlatforn.exeHD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	5036	RVN.exe
Token: SeLoadDriverPrivilege	1240	TXPlatforn.exe
Token: SeDebugPrivilege	2364	HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
Token: 33	1240	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1240	TXPlatforn.exe
Token: 33	1240	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1240	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

pid	process
1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exeRVN.exeTXPlatforn.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 5036	1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe	RVN.exe
PID 1676 wrote to memory of 5036	1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe	RVN.exe
PID 1676 wrote to memory of 5036	1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe	RVN.exe
PID 5036 wrote to memory of 4288	5036	RVN.exe	cmd.exe
PID 5036 wrote to memory of 4288	5036	RVN.exe	cmd.exe
PID 5036 wrote to memory of 4288	5036	RVN.exe	cmd.exe
PID 3328 wrote to memory of 1240	3328	TXPlatforn.exe	TXPlatforn.exe
PID 3328 wrote to memory of 1240	3328	TXPlatforn.exe	TXPlatforn.exe
PID 3328 wrote to memory of 1240	3328	TXPlatforn.exe	TXPlatforn.exe
PID 4288 wrote to memory of 2868	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 2868	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 2868	4288	cmd.exe	PING.EXE
PID 1676 wrote to memory of 2364	1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe	HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1676 wrote to memory of 2364	1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe	HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1676 wrote to memory of 2364	1676	889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe	HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
"C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2868

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
1⤵
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
Filesize
6.0MB

MD5
22f7340e7ce6098c948d4369df4be09f

SHA1
c2c227fdb8702510e44bf8ae14c57e1ff8161612

SHA256
291fc1bfaf4da9b362dbf2eae0192da877932b811fc10f8b8d69701967f13fac

SHA512
cb759fc7bf942a4beb1f15b8d5def7f7541a83b2c8ba000343d471779216a9a2828f98d69bb2b0d981ea142456afcb6eb37bc9a0df82d303d4ebbb3d55d6b9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.4MB

MD5
f16e20253806997a16fc77594e2a11f9

SHA1
fc8f5e86c09539419537b08bbd95afb3c412026d

SHA256
65eaf3291401f8fec68c77ad398681b41d792d2fa3c438ed7caa3612299e31a9

SHA512
d496c19c4ecf422ee7cda9ef76c57a4e764a11472108f36388045fe6c3b66cf8d085b158a156fa06837f2ec498da0501749e6ab40b37156c8fb12d33272ad8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
af88c8dcbf1c5e287bb4f42c59eed448

SHA1
2b3124223de0a2df46ef88efb9231de25de343d9

SHA256
c0c4fc450f3b35cf4d672a5a551851f9d77903776b57a1787d4cf477666654a7

SHA512
0d8bcea1666abdb705fe270846f37dfcc4e2f4bc6e20295a6a201aeafe20a195f45c04d85c14da392a8c2556d33867d73783a8f233d4e5e7793ac6ab6bf573b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\X.ico
Filesize
69KB

MD5
e33fb6d686b1a8b171349572c5a33f67

SHA1
29f24fe536adf799b69b63c83efadc1bce457a54

SHA256
020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

SHA512
cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

Download Submit
memory/1240-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1240-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1240-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1240-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3328-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3328-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3328-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3328-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3328-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5036-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5036-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5036-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5036-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads