gh0strat | 8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b | Triage

Submit
Reports

Overview

overview

Static

static

1

zuixinaisi.msi

windows7-x64

8

zuixinaisi.msi

windows10-2004-x64

Sharing

General

Target

zuixinaisi.msi.v
Size

233.8MB
Sample

240914-j3gz9svclf
MD5

df0ddca33d18cef60dbfdad992a21ff3
SHA1

5db0a225c9713d93412d01c5df5398811e54d1e5
SHA256

8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b
SHA512

e217e0425cb0045bc15e4ed5e122e69bd4d6bee5170e961659aba94641305f6a274d648529ec577df41fcca383085cf31e9df66123e433dd2f6a408aa407ceda
SSDEEP

6291456:/LGfwiT1I66Fm7gHvhjLvuYGpyLit5vFls1D:/cT1I6CFbopyLiLvyD

Score

10^/10

gh0strat purplefox defense_evasion discovery execution persistence privilege_escalation rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

zuixinaisi.msi

Resource

win7-20240903-en

defense_evasion discovery execution persistence privilege_escalation

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

zuixinaisi.msi

Resource

win10v2004-20240802-en

gh0strat purplefox defense_evasion discovery execution persistence privilege_escalation rat rootkit trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Targets

- Target
  
  zuixinaisi.msi.v
- Size
  
  233.8MB
- MD5
  
  df0ddca33d18cef60dbfdad992a21ff3
- SHA1
  
  5db0a225c9713d93412d01c5df5398811e54d1e5
- SHA256
  
  8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b
- SHA512
  
  e217e0425cb0045bc15e4ed5e122e69bd4d6bee5170e961659aba94641305f6a274d648529ec577df41fcca383085cf31e9df66123e433dd2f6a408aa407ceda
- SSDEEP
  
  6291456:/LGfwiT1I66Fm7gHvhjLvuYGpyLit5vFls1D:/cT1I6CFbopyLiLvyD
Score

10^/10

defense_evasion discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Access Token Manipulation

Create Process with Token

Event Triggered Execution

Installer Packages

Defense Evasion

Access Token Manipulation

Create Process with Token

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

behavioral2

gh0stratpurplefoxdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratrootkittrojan

© 2018-2025

Terms | Privacy