gh0strat | 21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2 | Triage

Submit
Reports

Overview

overview

Static

static

1

WPS Office...35.msi

windows7-x64

6

WPS Office...35.msi

windows10-2004-x64

Sharing

General

Target

WPS Office_104693057_401535.msi.v
Size

15.4MB
Sample

240920-e3qvysycqb
MD5

ca9086b9f4e1cbfae86204a0e2cbea07
SHA1

4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15
SHA256

21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2
SHA512

b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984
SSDEEP

393216:WAxJ3qt2MkEOEsQ+D8PjbtTBQqc4dq47aJ7IKw9M38hoTjZ5Uu0H:WU3o2NNjgrpFQq3dd7aJkvFhoTrV0H

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

WPS Office_104693057_401535.msi

Resource

win7-20240708-en

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

WPS Office_104693057_401535.msi

Resource

win10v2004-20240802-en

gh0strat purplefox discovery rat rootkit trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  WPS Office_104693057_401535.msi.v
- Size
  
  15.4MB
- MD5
  
  ca9086b9f4e1cbfae86204a0e2cbea07
- SHA1
  
  4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15
- SHA256
  
  21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2
- SHA512
  
  b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984
- SSDEEP
  
  393216:WAxJ3qt2MkEOEsQ+D8PjbtTBQqc4dq47aJ7IKw9M38hoTjZ5Uu0H:WU3o2NNjgrpFQq3dd7aJkvFhoTrV0H
Score

10^/10

discovery gh0strat purplefox rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpurplefoxdiscoveryratrootkittrojan

© 2018-2025

Terms | Privacy