gh0strat | 4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609

General

Target

4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
Size

1.5MB
MD5

a38784155ebc680ed69176019f767377
SHA1

0cc83501defd5fb28068dd804f20f933befc45a1
SHA256

4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609
SHA512

3574c81e905cd04332b4c47e5943d3d03734a6ed2d6d5af2703d6203b2deaa3b047ba4d87519dfaf3913bef88b266031d5547415dd3bf76965f648878fbd3cc7
SSDEEP

24576:K09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+ufuRcJj2KM8+Eo0DFukBK/W:K09XJt4HIN2H2tFvduySapj2j/W

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2004-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2004-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2496-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2004-22-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2512-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2512-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2512-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2496-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2512-73-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2004-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2004-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2496-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2004-22-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2512-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2512-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2512-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2496-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2512-73-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

pid	Process
2004	RVN.exe
2496	TXPlatforn.exe
2512	TXPlatforn.exe
2224	HD_4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe

Loads dropped DLL 3 IoCs

pid	Process
2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
2496	TXPlatforn.exe
2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2004-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2004-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2004-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2496-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2004-22-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2512-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2512-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2512-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2496-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2512-73-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1468	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2512	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2004	RVN.exe
Token: SeLoadDriverPrivilege	2512	TXPlatforn.exe
Token: 33	2512	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2512	TXPlatforn.exe
Token: 33	2512	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2512	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2004	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	28
PID 2168 wrote to memory of 2004	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	28
PID 2168 wrote to memory of 2004	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	28
PID 2168 wrote to memory of 2004	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	28
PID 2168 wrote to memory of 2004	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	28
PID 2168 wrote to memory of 2004	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	28
PID 2168 wrote to memory of 2004	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	28
PID 2004 wrote to memory of 2872	2004	RVN.exe	30
PID 2004 wrote to memory of 2872	2004	RVN.exe	30
PID 2004 wrote to memory of 2872	2004	RVN.exe	30
PID 2004 wrote to memory of 2872	2004	RVN.exe	30
PID 2496 wrote to memory of 2512	2496	TXPlatforn.exe	31
PID 2496 wrote to memory of 2512	2496	TXPlatforn.exe	31
PID 2496 wrote to memory of 2512	2496	TXPlatforn.exe	31
PID 2496 wrote to memory of 2512	2496	TXPlatforn.exe	31
PID 2496 wrote to memory of 2512	2496	TXPlatforn.exe	31
PID 2496 wrote to memory of 2512	2496	TXPlatforn.exe	31
PID 2496 wrote to memory of 2512	2496	TXPlatforn.exe	31
PID 2168 wrote to memory of 2224	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	33
PID 2168 wrote to memory of 2224	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	33
PID 2168 wrote to memory of 2224	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	33
PID 2168 wrote to memory of 2224	2168	4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe	33
PID 2872 wrote to memory of 1468	2872	cmd.exe	34
PID 2872 wrote to memory of 1468	2872	cmd.exe	34
PID 2872 wrote to memory of 1468	2872	cmd.exe	34
PID 2872 wrote to memory of 1468	2872	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
"C:\Users\Admin\AppData\Local\Temp\4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1468
- C:\Users\Admin\AppData\Local\Temp\HD_4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
  C:\Users\Admin\AppData\Local\Temp\HD_4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe
  2⤵
  - Executes dropped EXE
  PID:2224

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_4735a1914a778d97246b2eabe1fc870f93b43fe0da8ad1b3ef693d1fc44ac609.exe

Filesize
437KB

MD5
0a72ebf5ab50b1b66057843730813005

SHA1
40ffbe8f2fc30407145ee896ad166d08562acc30

SHA256
d32f4227a312abc42fca893f17b947420330f67b371bdf6d1a3e8dc241d53514

SHA512
56b8acffb6ce9f26ce4263c981df2d76ad183de52c86c04e7c73e819cb2b38784de2d8401f5d93609b29ede5209779f152b01ee5be053c72ec339a08e86020f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.1MB

MD5
63dd81c8e2f6036be14fc7b65e5cea1e

SHA1
20e49d40b767f00110a27dacec26f5a8347d32ef

SHA256
4c0100e19ad2be0ebc7d5ca40740921cc5b49fb8e0900a9838eedf7bc3a77d68

SHA512
9fc82e3205db25e4f6ace23f589bcde93d12aaf612f46743272f926c7925e912d8f353a660e4f31bd51d1612aa51d6f7f10bc2be3ff6983b8a3166ed364208e6

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/2004-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2004-22-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2004-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2004-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2496-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2496-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-73-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads