gh0strat | 99220d8972a6f8881424513e1cc11161716f84400913f28493c6256d2d58f69d | Triage

Submit
Reports

Overview

overview

Static

static

3

quickq-setup.exe

windows7-x64

quickq-setup.exe

windows10-2004-x64

Sharing

General

Target

quickq-setup.exe.v
Size

125.0MB
Sample

240905-hczxqavcjr
MD5

0ff6074efc8680a0ec0bb44bca08f191
SHA1

c48972532e99a9a846690bb880e0b91ba202eb90
SHA256

99220d8972a6f8881424513e1cc11161716f84400913f28493c6256d2d58f69d
SHA512

afe4de5817433bd52d64fe7abc8754518be63bd1dbe7ebc631546a2707117901021518b5aeeb5800cc56fd661b390cb48bbf18881fd1883649860dd2dfdb21c9
SSDEEP

3145728:QBCe6GreS1e3aoeAmloP6AxVmsOQq9x/tDkIHLewAgQf/:QULzmUBx3sjB6wRA/

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

quickq-setup.exe

Resource

win7-20240903-en

gh0strat purplefox discovery rat rootkit trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

quickq-setup.exe

Resource

win10v2004-20240802-en

gh0strat purplefox discovery rat rootkit trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  quickq-setup.exe.v
- Size
  
  125.0MB
- MD5
  
  0ff6074efc8680a0ec0bb44bca08f191
- SHA1
  
  c48972532e99a9a846690bb880e0b91ba202eb90
- SHA256
  
  99220d8972a6f8881424513e1cc11161716f84400913f28493c6256d2d58f69d
- SHA512
  
  afe4de5817433bd52d64fe7abc8754518be63bd1dbe7ebc631546a2707117901021518b5aeeb5800cc56fd661b390cb48bbf18881fd1883649860dd2dfdb21c9
- SSDEEP
  
  3145728:QBCe6GreS1e3aoeAmloP6AxVmsOQq9x/tDkIHLewAgQf/:QULzmUBx3sjB6wRA/
Score

10^/10

gh0strat purplefox discovery rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxdiscoveryratrootkittrojan

behavioral2

gh0stratpurplefoxdiscoveryratrootkittrojan

© 2018-2025

Terms | Privacy