gh0strat | bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910

General

Target

bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
Size

2.4MB
MD5

f8f76bcf92d471334e77f891c17fba64
SHA1

360ec16bba09b03ca65c00382849ebea4aeb62d3
SHA256

bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910
SHA512

70b00d97d0dacfe25ba0430172e40d6534118ff0f48d73731eaae4e1041778af7b49153df7c4e3eb1e5bb13c37635568bf6ef1ab88d317d66129fb72ac623504
SSDEEP

49152:/qvqHgWVpi0bnnVgQXDifMQ64bB5mGwFZyXD0hL5THoea:/aqHtVM2iQXtQjZAhJa

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 18 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2516-12-0x0000000010000000-0x00000000101A0000-memory.dmp	purplefox_rootkit
behavioral1/memory/2516-30-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2648-34-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-35-0x0000000010000000-0x00000000101A0000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-50-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-51-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-52-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-53-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-54-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-55-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-56-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-57-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-58-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-59-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-60-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-61-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-62-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-63-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 18 IoCs

resource	yara_rule
behavioral1/memory/2516-12-0x0000000010000000-0x00000000101A0000-memory.dmp	family_gh0strat
behavioral1/memory/2516-30-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2648-34-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-35-0x0000000010000000-0x00000000101A0000-memory.dmp	family_gh0strat
behavioral1/memory/2548-50-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-51-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-52-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-53-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-54-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-55-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-56-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-57-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-58-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-59-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-60-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-61-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-62-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral1/memory/2548-63-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2516	Tempbkjwlkjlgk.exe
2648	NfvWne.exe
2548	NfvWne.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NfvWne.exe	Tempbkjwlkjlgk.exe
File opened for modification	C:\Windows\SysWOW64\NfvWne.exe	Tempbkjwlkjlgk.exe
File created	C:\Windows\SysWOW64\Delete00.bat	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

pid	Process
2516	Tempbkjwlkjlgk.exe
2648	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe
2548	NfvWne.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2596	PING.EXE
1664	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2516	Tempbkjwlkjlgk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
2516	Tempbkjwlkjlgk.exe
2648	NfvWne.exe
2548	NfvWne.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2516	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	28
PID 1868 wrote to memory of 2516	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	28
PID 1868 wrote to memory of 2516	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	28
PID 1868 wrote to memory of 2516	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	28
PID 2516 wrote to memory of 2284	2516	Tempbkjwlkjlgk.exe	30
PID 2516 wrote to memory of 2284	2516	Tempbkjwlkjlgk.exe	30
PID 2516 wrote to memory of 2284	2516	Tempbkjwlkjlgk.exe	30
PID 2516 wrote to memory of 2284	2516	Tempbkjwlkjlgk.exe	30
PID 2648 wrote to memory of 2548	2648	NfvWne.exe	31
PID 2648 wrote to memory of 2548	2648	NfvWne.exe	31
PID 2648 wrote to memory of 2548	2648	NfvWne.exe	31
PID 2648 wrote to memory of 2548	2648	NfvWne.exe	31
PID 2284 wrote to memory of 2596	2284	cmd.exe	33
PID 2284 wrote to memory of 2596	2284	cmd.exe	33
PID 2284 wrote to memory of 2596	2284	cmd.exe	33
PID 2284 wrote to memory of 2596	2284	cmd.exe	33
PID 1868 wrote to memory of 2476	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	34
PID 1868 wrote to memory of 2476	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	34
PID 1868 wrote to memory of 2476	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	34
PID 1868 wrote to memory of 2476	1868	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	34
PID 2476 wrote to memory of 1664	2476	cmd.exe	36
PID 2476 wrote to memory of 1664	2476	cmd.exe	36
PID 2476 wrote to memory of 1664	2476	cmd.exe	36
PID 2476 wrote to memory of 1664	2476	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
"C:\Users\Admin\AppData\Local\Temp\bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Tempbkjwlkjlgk.exe
  C:\Users\Admin\AppData\Local\Tempbkjwlkjlgk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\TEMPBK~1.EXE > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\System32\\Delete00.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1664

C:\Windows\SysWOW64\NfvWne.exe
C:\Windows\SysWOW64\NfvWne.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\NfvWne.exe
  C:\Windows\SysWOW64\NfvWne.exe -acsi
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delete00.bat

Filesize
165B

MD5
53766b95bdf5d8680386866a156062e9

SHA1
291dc723078f239a72ab22c31ae115a763da9d53

SHA256
22fd2a084d50593b57e5473f06ed6dc6a309a52188db9687b5564f476c28d86b

SHA512
f48586ec2ecd8766cc55114d585a4ea8afb69e60a1107758177d89a29dba02bbe107809a07aa09b8895ef7b060b8017d9014b9c448472e16ee3b54ca727029c4

Download Submit
\Users\Admin\AppData\Local\Tempbkjwlkjlgk.exe

Filesize
1.6MB

MD5
171f46469609b3a91f6bd1c54b900b9c

SHA1
a03620a7725985c3a9ad5629fafc23b0ab8e76bd

SHA256
a61b23fdf8dea7d94c8e181fd81d79739fe2153055a88920bd609f881b45a5b0

SHA512
dc864caa3be54bd5bb9896f5bee716902f17f33541396e7a2ae073da51761d627083cc056e1f3900396ae3c605b39fb8ea002c5ca42bc3c082affb1f6d410796

Download Submit
memory/1868-7-0x0000000011230000-0x0000000011709000-memory.dmp

Filesize
4.8MB

Download
memory/1868-9-0x0000000011230000-0x0000000011709000-memory.dmp

Filesize
4.8MB

Download
memory/2516-11-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2516-12-0x0000000010000000-0x00000000101A0000-memory.dmp

Filesize
1.6MB

Download
memory/2516-30-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-51-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-59-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-35-0x0000000010000000-0x00000000101A0000-memory.dmp

Filesize
1.6MB

Download
memory/2548-63-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-50-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-62-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-52-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-53-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-54-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-55-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-56-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-57-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-58-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-32-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-60-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2548-61-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2648-21-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2648-34-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing