gh0strat | 1b72c2d6881343b33896c6f6281db8d56d0bc80c469058dee71aa3603c8ed44c

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dzaisizs.exe
Size

83.9MB
MD5

054daa5a9405421ea1e8ee0ba456234c
SHA1

4c32e3c5e663a035e05ffdbdf4e61c99735897ab
SHA256

1b72c2d6881343b33896c6f6281db8d56d0bc80c469058dee71aa3603c8ed44c
SHA512

ed99087de113b484ab896a260dfb68f017570d9f38caef90ff3b0a3515b7cdb77ac0e61e8922a9925d86abfefb729214107327ff1c9d6d2aef37d4211a6b7757
SSDEEP

1572864:qsFmG/LCRZCLYQUux91mt46TpmSHGErH5y0oBO/rWZqyKjVnQTnP:qf0sQr1mt4WpmSzQBFyO

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2840-0-0x0000000010000000-0x0000000010199000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2840-0-0x0000000010000000-0x0000000010199000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzaisizs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2840	dzaisizs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	dzaisizs.exe

C:\Users\Admin\AppData\Local\Temp\dzaisizs.exe
"C:\Users\Admin\AppData\Local\Temp\dzaisizs.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-0-0x0000000010000000-0x0000000010199000-memory.dmp

Filesize
1.6MB

Download