gh0strat | 41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495

General

Target

41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
Size

2.0MB
MD5

ba58560bf1462e5ad2e85e4628c2a804
SHA1

ed6b2390b51226c62c24dcfa0faede26f373a198
SHA256

41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495
SHA512

49d31d5f69432105375accc198851a6436258899781004eee7cd5aa27581fd7b915eb30f380c9e74e6b53132f1efbe9db8838dd0116e71f0d282309704391206
SSDEEP

24576:I09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+5WyQYgBuAOGvaWXGY:I09XJt4HIN2H2tFvduySbgpJfp

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4872-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4872-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3244-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3244-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3244-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3244-25-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4872-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3256-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral2/memory/4872-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4872-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4872-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3244-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3244-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3244-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3244-25-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4872-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3256-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

pid	Process
4872	RVN.exe
3244	TXPlatforn.exe
3256	TXPlatforn.exe
1112	HD_41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4872-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4872-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4872-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4872-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3244-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3244-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3244-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3244-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4872-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3244-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3256-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2376	1112	WerFault.exe	95

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4688	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3256	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4872	RVN.exe
Token: SeLoadDriverPrivilege	3256	TXPlatforn.exe
Token: 33	3256	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3256	TXPlatforn.exe
Token: 33	3256	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3256	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4872	1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe	90
PID 1196 wrote to memory of 4872	1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe	90
PID 1196 wrote to memory of 4872	1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe	90
PID 4872 wrote to memory of 4296	4872	RVN.exe	94
PID 4872 wrote to memory of 4296	4872	RVN.exe	94
PID 4872 wrote to memory of 4296	4872	RVN.exe	94
PID 3244 wrote to memory of 3256	3244	TXPlatforn.exe	96
PID 3244 wrote to memory of 3256	3244	TXPlatforn.exe	96
PID 3244 wrote to memory of 3256	3244	TXPlatforn.exe	96
PID 1196 wrote to memory of 1112	1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe	95
PID 1196 wrote to memory of 1112	1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe	95
PID 1196 wrote to memory of 1112	1196	41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe	95
PID 4296 wrote to memory of 4688	4296	cmd.exe	101
PID 4296 wrote to memory of 4688	4296	cmd.exe	101
PID 4296 wrote to memory of 4688	4296	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
"C:\Users\Admin\AppData\Local\Temp\41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4688
- C:\Users\Admin\AppData\Local\Temp\HD_41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
  C:\Users\Admin\AppData\Local\Temp\HD_41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 816
    3⤵
    - Program crash
    PID:2376

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1112 -ip 1112
1⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_41dfa56481cbd8544e2fa5e9b4bd24256252b07a29eb4dfced3a1dd31e50e495.exe

Filesize
766KB

MD5
65fb51bcb01673d4701f7c60a2da2649

SHA1
afd8438c89428e3df6a2ce3672f0581d890a560f

SHA256
a3629dfecf3e04cab10ba63922164057f478192c9738d891d8fe154d1a20ef2c

SHA512
29f8fca9e3879805df78b3a8ccf6ef353f7c0f4839af904a5303c362dd18edbafb8477f919fa39445f6dfea49c45ae98f2a2221f6be677a2a95894eab27c48e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
8e69f5a206633b44e96136eb8ad9876e

SHA1
b9aaee3a8eb6e17b003511a37d80364f37ab1560

SHA256
be4cc981ad6e3351fbe3f2b40415e1d7ea308bd667af84897c826f0a90da4d4a

SHA512
714158984c07219354fafb3558dd9f349e1bb9fcc31c168c1a36c15afd3608d4d27521d26d1251810e06e6edbbbbc17c103a2c442a0ddc1e9f50fec2b5bf4b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX9357.tmp

Filesize
1.3MB

MD5
b4b4e45403ba5a06984f6a31b0efbba6

SHA1
bfa70556ed985e70ff25ca01fc6802979f4fa141

SHA256
6a385bf15c8c0b597be147673f89e18106c158143385bf22e88f3664bef252bf

SHA512
9509bfb1f444d600827f9296ab7219fe26e2adc321f3469a4f75d144a8ebc80c59e807b4e0c13297ab75388693a2a6640043fbd7cbbecd3fe8532956d5f086de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\X.ico

Filesize
69KB

MD5
e33fb6d686b1a8b171349572c5a33f67

SHA1
29f24fe536adf799b69b63c83efadc1bce457a54

SHA256
020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

SHA512
cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

Download Submit
memory/1112-32-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download
memory/1112-31-0x0000000000FB0000-0x0000000001074000-memory.dmp

Filesize
784KB

Download
memory/3244-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3244-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3244-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3244-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3244-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3256-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4872-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4872-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4872-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4872-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4872-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads