gh0strat

Sharing

General

Target

새 폴더 (2).zip
Size

60.4MB
Sample

241112-g5z8hsxaqe
MD5

eb8a382123a3636f81b31c3e6086d411
SHA1

987e2abc6f859f21e4073fbd896c88683fcd9ac3
SHA256

73b6df0add9bc6b5792d274d316ecd70d636847db25ce6f3e63e77fb72369037
SHA512

2695047c269213e0abd9fbd151d8721f7c282b90ef951cffe47e0b29727ea68c08c96059f5907cd7326b45a375a8030f991e73baf3f5e8e9003589ad2ba99123
SSDEEP

1572864:MSfVw4VJDATTOJAIPN29bKI6L5qneN2mP7YXW9I:Pm4VJDAT6JAoN29bkeXx

Score

10^/10

Malware Config

Extracted

Family

mofongoloader

https://securetestconnect.app/connection/test

Attributes

user_agent
UA/1

Targets

- Target
  
  48db28a1f4bd01050aa13f021c3b1dfd7aa7ed807592e0a23f3c7afbb7db78c5.exexx
- Size
  
  674KB
- MD5
  
  ab860c777ce9ad76b1c478623e3cda2a
- SHA1
  
  38dfc133a769a459ee322488a96179d71da56892
- SHA256
  
  48db28a1f4bd01050aa13f021c3b1dfd7aa7ed807592e0a23f3c7afbb7db78c5
- SHA512
  
  f23b09e3da1c1f7941a87b57e91ea0988524ad2a2b2aa56114331590e1da0d1d3da98a10626b48ecd995d54d02652236cf03f0707b4132b4c56e8b8d50d25548
- SSDEEP
  
  6144:GvZCqtNVfi0ZzEGFwMHViJ1bK+zjD+FM0kz6kUJYeASlF/+xZRtiKzvzaOchY5:GvZCCukzEGCMHViPbK+zWFPkzNzDKO5
Score

1^/10
behavioral1 behavioral2
- Target
  
  595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exexx
- Size
  
  28.7MB
- MD5
  
  a75bd304b668cfa64640b22e4c231349
- SHA1
  
  2a72f8bb89047305062d53337098c5e0573d9ff3
- SHA256
  
  595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e
- SHA512
  
  60f35560be97a8674c5c1e1916340655f619702dc6d95cfa32a4c7fad284e27b45a5dda5fc79a2ce0d8e0a87583ca1caa0ecae54ece10a1f5abdd5b9cdc41471
- SSDEEP
  
  786432:kxZADx6Nw9CJarloXOqTIzauR93oSQkNd:t6N9c2XRPC93oLkf
Score

7^/10

discovery evasion persistence trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4
- Target
  
  689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exexx
- Size
  
  27.6MB
- MD5
  
  220d1ef8904ec400ad2c63fe40c21a75
- SHA1
  
  04c5bb65b1a65e7a159c17b8bbaf4e286009370e
- SHA256
  
  689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33
- SHA512
  
  1ec2cfb174fd749bbec0a87a8cffbfe81284b68a7a09ae1a32cea51cf4d17dadad0f04f185aa8492ec186d409b1422f20ae59b530ed15598e453d923b9f3be4a
- SSDEEP
  
  786432:kbnq/UYXTOALUyampRu7cAcwKwV8dPNck+/Fj4y:H/UYXlYyad1cBwV++/Wy
Score

10^/10

discovery gh0strat purplefox evasion persistence privilege_escalation rat rootkit spyware stealer trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Purplefox family
  purplefox
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6
- Target
  
  79c92912e557a1cbd3299221952a42beb62ce12baa8aafaae285171bd88cf71e.exexx
- Size
  
  674KB
- MD5
  
  b2dc35428fe92c4e21e9c4d70fbeb6f2
- SHA1
  
  73be5079aa7495f8839cf9497ad5d3151b4ee5a2
- SHA256
  
  79c92912e557a1cbd3299221952a42beb62ce12baa8aafaae285171bd88cf71e
- SHA512
  
  93ec4638e10b4906c48e5c5eadf6264ba0170cba8645f6cf549524c965ac269709cd74bf359870b90450b7bccfdf7445006244f7b34af2c5a995f849a7de00dd
- SSDEEP
  
  6144:GvZCqtNVfi0ZzEGFwMHViJ1bK+zjD+FM0kz6kUJYeASlF/+xZRtiKzvzaOchYF:GvZCCukzEGCMHViPbK+zWFPkzNzDKOF
Score

1^/10
behavioral7 behavioral8
- Target
  
  7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8.exexx
- Size
  
  3.9MB
- MD5
  
  c8420fe03d088ed9558dea175de7711f
- SHA1
  
  2feece2652375bee5171f31d10caf9ea4291ed36
- SHA256
  
  7c7a1691b47e950616215c93e2cd4ec1893f646a44146ca7b6cd6352b9dee2c8
- SHA512
  
  ef935456d3fd0a7f32b1abb8bfc2ccb9b37443835157f9b8805875fce15ab1b9ec1639253d6ec20b83dadae714531e49f6c26621fbb5ffca46af665a5df88a2a
- SSDEEP
  
  98304:rUg3G64EgdhTNuQmT19jSxkUDsY5HJFWHzFJkyTnIDQVVNdM8LtUIgCfhsT:lGNXNu/LjeOY5pFovkyTIDQs8LqIgCK
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral9