gh0strat | e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c

General

Target

e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
Size

1.6MB
MD5

833c985671383fc6e3ed51314cdccd48
SHA1

f5c40fc83fb5ca40444311db97d5e869656cafac
SHA256

e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c
SHA512

7f447a649b8979767fb9e2fe0c794f3e084d5826bb26a8baaa215362c98f60b60788a337b83c3b33d62d165c4f94b1b56a6ac11645c314cb56f367cca75fbe9e
SSDEEP

24576:4QZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVQfJJsx/V1Dfun2y:4QZAdVyVT9n/Gg0P+WhoTJJsxLDmn2y

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4024-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4024-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4024-26-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4024-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2260-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2260-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2260-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral2/memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4024-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4024-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2260-22-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/files/0x00070000000234f0-30.dat	family_gh0strat
behavioral2/memory/4024-26-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4024-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2260-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2260-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2260-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 5 IoCs

pid	Process
4836	svchost.exe
4024	TXPlatforn.exe
2260	TXPlatforn.exe
2788	svchos.exe
4816	HD_e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe

Loads dropped DLL 1 IoCs

pid	Process
2788	svchos.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4836-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4024-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4024-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4024-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2260-22-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4024-26-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4024-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2260-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2260-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2260-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240633625.txt	svchos.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	2788	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
220	cmd.exe
4980	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4980	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2260	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4836	svchost.exe
Token: SeLoadDriverPrivilege	2260	TXPlatforn.exe
Token: 33	2260	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2260	TXPlatforn.exe
Token: 33	2260	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2260	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4836	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	84
PID 1628 wrote to memory of 4836	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	84
PID 1628 wrote to memory of 4836	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	84
PID 4024 wrote to memory of 2260	4024	TXPlatforn.exe	87
PID 4024 wrote to memory of 2260	4024	TXPlatforn.exe	87
PID 4024 wrote to memory of 2260	4024	TXPlatforn.exe	87
PID 4836 wrote to memory of 220	4836	svchost.exe	86
PID 4836 wrote to memory of 220	4836	svchost.exe	86
PID 4836 wrote to memory of 220	4836	svchost.exe	86
PID 1628 wrote to memory of 2788	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	88
PID 1628 wrote to memory of 2788	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	88
PID 1628 wrote to memory of 2788	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	88
PID 220 wrote to memory of 4980	220	cmd.exe	94
PID 220 wrote to memory of 4980	220	cmd.exe	94
PID 220 wrote to memory of 4980	220	cmd.exe	94
PID 1628 wrote to memory of 4816	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	97
PID 1628 wrote to memory of 4816	1628	e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe	97

C:\Users\Admin\AppData\Local\Temp\e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
"C:\Users\Admin\AppData\Local\Temp\e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4980
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 452
    3⤵
    - Program crash
    PID:3020
- C:\Users\Admin\AppData\Local\Temp\HD_e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
  C:\Users\Admin\AppData\Local\Temp\HD_e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe
  2⤵
  - Executes dropped EXE
  PID:4816

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.5MB

MD5
a677ef4358e70d26274c10fcb51117e7

SHA1
aef44bbb1f9a42efeff8b908ae89e5c004c14487

SHA256
7771205e43125eaf1ff3e694364ed51d0224cb7733f2d55fea4bd1b9be18da51

SHA512
28205cf3a2abad893f30630c86d8fb308758fb7f56c66617d9ed00f6188836a2058c4bef5aed441a9dee1f195faafaa41e4f8dbde8b414aedb1d8975c579a42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_e57e284985633b840dd46273e8d834b5163542b5dfe84df08a90745d2230f42c.exe

Filesize
20KB

MD5
01a146505f88c7542106db3a5eb6af9e

SHA1
dc5acc36d24bc0ba7e8353aa5d47d98d3ba911fb

SHA256
e701c034a95b5fc2aeae4506486f2202b8eaa7eb20284fe1dae754ecbc0b319a

SHA512
d467a6f5b4937bee9dc7b84e48376d1bc756b88d0daaa356f37105c47b667d8543873d7dfdce3de0dbd6d9386755e878b854e5afc5c44791e0d97e93fa4fb2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\240633625.txt

Filesize
50KB

MD5
da7cd4a8441dd18c08850e7dc991700c

SHA1
96b3f79d1f8bfd04188d0402b8a1b94675571b59

SHA256
9aa51663f2146557675d91c8df733c2299535b5d3a445fe846289979bb4e0bb5

SHA512
81fda8a4d6ff9922f8574d2b2086c7bf3708597237cc121f164b728ccf305e2ed7e72ce1bbbdc5ef1b522ee1918b2ba65660bffbef838356983307e5a1bbb3b2

Download Submit
memory/2260-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2260-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2260-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2260-22-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4024-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4024-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4024-26-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4024-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4024-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads