gh0strat

General

Target

fakeapp1021.zip
Size

209.8MB
Sample

241021-rfva3sydjk
MD5

35b1c21281b2af2d432bf88b0bcb3925
SHA1

769b1c6e777e24842c14283fef5796e3dbb4918b
SHA256

2c576a26c8b19b03cd2123c89e6cdc38036ee4f1f58a20a288850233a802fe49
SHA512

f418f8f82120243225970528e791b34d72c3885333f31aec412556b033007dc05b39ce1dea0b43946c7642556aae95887cd61d1d3a5ca77397ab8cde545a7771
SSDEEP

6291456:hZHUeQ6xWN26ehUFx7tQ/QcIcP9DXyCWZWN3W29:h9EBBEUDeacP9XyC3m29

Score

10^/10

Malware Config

Targets

- Target
  
  YoudaodbDictSetup.msi
- Size
  
  137.3MB
- MD5
  
  25a66e2b89ffbccc4212ed9667aabad6
- SHA1
  
  da741340579368470360ac24492e49e832c18280
- SHA256
  
  bc4ee3094614f5d0a77cf72a0a997dddcc6906632798d36724b86323c00f43dd
- SHA512
  
  1b2c87bde46ba2f7d811790ac954afdb4b40bcd33b328569c2e6a94764762fa0e13210333bfd0e8218819d05dbdec070fc075826b5da9490781330c602a8acfc
- SSDEEP
  
  3145728:BzYKj8WH3zFrbOc+ZWh4kWjoNFoaApVQ9CBkNNWKmH7M7x3e:eCjhbOJWhi4FoMy0NWl7M7xu
Score

10^/10

gh0strat purplefox discovery persistence privilege_escalation rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  telcgaem.exe
- Size
  
  78.3MB
- MD5
  
  15c47c49822e2e151570f92f2c888810
- SHA1
  
  00bd79f05c1d2d6e1cd183b9091cfc49186d19db
- SHA256
  
  8b14e06f3d18713e80f1af4fba599c61c1afc60ae1188155fd1232dd2e912274
- SHA512
  
  ee20bd72a84482921e0ffa7321cafa5c80817ca26f5e74682b4d2bb9bc3043e36e05993db88c0b5634ac3db9933987f2b49127dd1e705a20d6786aa521936f5f
- SSDEEP
  
  1572864:NjsyFFS7s0bdNcqNdZStgE47uuJm3nB5ddE0OFS7s0bdNcqNdZvFS7s0bdNcqNdJ:HncsadOqNdstZ47uFbdRIcsadOqNd3cV
Score

10^/10

discovery evasion trojan
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4