gh0strat | ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f

General

Target

ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
Size

13.8MB
MD5

91f6f067afb0b7957728801b37c4ec97
SHA1

8a5b517024449366839048e8a981498419fff2a8
SHA256

ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f
SHA512

d9954094b6dd673370d50e940ac877a2cbce9b7bde7158650268db0e9f64b6051dcf6b61afbd29d055f8f87e7689572535908e1faf7234a2a4f69754fbca9a27
SSDEEP

393216:5irhlWxZXNwLL8ElWxZJNwqL80oHdRaMcGPj:4rhl6Qv8El6yC80QcGL

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/864-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/864-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/864-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2276-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3240-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3240-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2276-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2276-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2276-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3240-48-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/864-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/864-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/864-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2276-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3240-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3240-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2276-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2276-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2276-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3240-48-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe

Executes dropped EXE 5 IoCs

pid	Process
864	RVN.exe
2276	TXPlatforn.exe
4400	HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
3240	TXPlatforn.exe
3064	DPInst64.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/864-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/864-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/864-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/864-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2276-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2276-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3240-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3240-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2276-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2276-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2276-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3240-48-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DPINST.LOG	DPInst64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2388	cmd.exe
1104	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1104	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3240	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	864	RVN.exe
Token: SeLoadDriverPrivilege	3240	TXPlatforn.exe
Token: 33	3240	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3240	TXPlatforn.exe
Token: 33	3240	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3240	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 864	3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	84
PID 3192 wrote to memory of 864	3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	84
PID 3192 wrote to memory of 864	3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	84
PID 3192 wrote to memory of 4400	3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	87
PID 3192 wrote to memory of 4400	3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	87
PID 3192 wrote to memory of 4400	3192	ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	87
PID 2276 wrote to memory of 3240	2276	TXPlatforn.exe	89
PID 2276 wrote to memory of 3240	2276	TXPlatforn.exe	89
PID 2276 wrote to memory of 3240	2276	TXPlatforn.exe	89
PID 864 wrote to memory of 2388	864	RVN.exe	88
PID 864 wrote to memory of 2388	864	RVN.exe	88
PID 864 wrote to memory of 2388	864	RVN.exe	88
PID 2388 wrote to memory of 1104	2388	cmd.exe	91
PID 2388 wrote to memory of 1104	2388	cmd.exe	91
PID 2388 wrote to memory of 1104	2388	cmd.exe	91
PID 4400 wrote to memory of 3064	4400	HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	93
PID 4400 wrote to memory of 3064	4400	HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe	93

C:\Users\Admin\AppData\Local\Temp\ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
"C:\Users\Admin\AppData\Local\Temp\ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1104
- C:\Users\Admin\AppData\Local\Temp\HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
  C:\Users\Admin\AppData\Local\Temp\HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3064

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
584KB

MD5
312ccd4a3e3f198fa7f48dbc35feadb2

SHA1
d24b8625d1305b709cd0817295a9f89ea2a48710

SHA256
1c3d0187d4ff457e23bee62cf69a2aa5cf73f602ac209b596db47ecfabde8328

SHA512
5a26731958efb76763bfcb2805b8003077805e223ac5074ec34f921d658c85d8e3add84ca73e2cd55b2cd64ed59d60c9072d0af0535c22d9a148cdde670eae23

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe

Filesize
13.3MB

MD5
2e06a4ed6985a6558cd0bae7d89fa439

SHA1
2c7662c1c376b2d69a9f3eac750f5ef1ca43af4d

SHA256
dc1a447a5b07da68c77d80c37c38dcc6799f9466d189daa16cf3ac48d8b8e28a

SHA512
07c459c26d197734b4ac5a32c0bd224b1af66975cfdc3dfef3be8ec666584e072d0d6d569c4f8951dfe6e5e0b39684213546e18faf76d5208b5da19dd1174dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

Filesize
908KB

MD5
c3ac43b2018114a617e946aa8fdf3cac

SHA1
2d90f38bc995c9cd5efec52109f8bd2468001ca7

SHA256
ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117

SHA512
8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WUDFUpdate_01009.dll

Filesize
2.1MB

MD5
0306a26c0f455a1ca5d862f12cfa4600

SHA1
49038288bb6f0e1c27c18f1e0fe51f49f97c1546

SHA256
cb4a3bb8768ccc3c48f1324539d0d18ee8cf69ba409328d54cb1d47fa0de737b

SHA512
255b1e7acafe948e3d64dbb20e036a7ec98067e4961c14d91aec963b5f1187f17d76393477379f89b1a697589c3214edb2eece633f00c9a6bb1ed3d5821a7524

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
264850cd1b6b7dac95fffb101579caed

SHA1
b15f105e4e2088aa7cb632719ff8462a9e080633

SHA256
c2b893ef5d49888719491fcea41a5f6f58f1916681f8a7db6c4a2e61c798615c

SHA512
843575242ccbdffc1ad353469d5521bcf0f8a572deb0fe9cb283cab50de755ec680a6967d719624e30970b26209bfcb06b892f14af5af73d27cb36fdd012dff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\i386\NOTICE.txt

Filesize
236B

MD5
ea7f2158b930baf2c0fe799566489716

SHA1
f103d72fd8ee8240aab21f526ed0e4c8ee3a1525

SHA256
a19b767b9ddda7306c78232e4a223d0ba966471b74dce3c0c995307cab5bf7b7

SHA512
20351c59a906dff9622625f12e3bbe0b2260999913d4b2f18ec43e66656f1a9251e2462f269c7919f59c89a9b4569d505a095b50d8cfccfe0d37c0abf9ff79cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winusbcoinstaller2.dll

Filesize
987KB

MD5
c3b28eb02cc804c3886266e6a8f5c123

SHA1
bde780d98784c43c148e88243982acbc7854cbe6

SHA256
f195cbc0a65c85a26aba8f96b0859819f8d8a7429e1adf197da7221ef1d49502

SHA512
a23782dbb06e348ec232d308b44010864361518d6523e0025036c3ad9fe5a00b3cf57670b5c08924f6f1ff09927c0bfbbf33e754078dc508db96ba8c65353844

Download Submit
memory/864-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/864-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/864-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/864-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2276-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2276-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2276-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2276-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2276-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3240-48-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3240-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3240-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads