gh0strat | e308b5f5029ee8f51f866beee18370456632409cd34a77e7992ae82ab282cdb6 | Triage

Submit
Reports

Overview

overview

Static

static

1

ggggugeliu...17.msi

windows7-x64

ggggugeliu...17.msi

windows10-2004-x64

Sharing

General

Target

ggggugeliulanqGoogle1217.msi.vir
Size

54.3MB
Sample

241221-nng4yaypgr
MD5

afbf73c1469b3641f62cccb2b0bb178a
SHA1

633fd0c782856aba35f718c6806a8693fc2a5689
SHA256

e308b5f5029ee8f51f866beee18370456632409cd34a77e7992ae82ab282cdb6
SHA512

b92be4412e560f3103252a98371c9e0b1a5fde0aaa1016a146988dd0a34acd7d8f43aefcfdd6dd4d53c6058ff5a2b649ae35402996a3b4db2557b010923eaa6b
SSDEEP

786432:kErzXzCnli5q0Nl+nIgX9mt9Pfn8qjeoiMyIDbbLJsaC+lLft7NmkudZ0/4YTx6V:RrvCnMjkmjfn8qjem6Rat7b4kl/F0

Score

10^/10

gh0strat purplefox aspackv2 discovery persistence privilege_escalation rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ggggugeliulanqGoogle1217.msi

Resource

win7-20241010-en

gh0strat purplefox aspackv2 discovery persistence privilege_escalation rat rootkit spyware stealer trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

ggggugeliulanqGoogle1217.msi

Resource

win10v2004-20241007-en

gh0strat purplefox aspackv2 discovery persistence privilege_escalation rat rootkit spyware stealer trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Targets

- Target
  
  ggggugeliulanqGoogle1217.msi.vir
- Size
  
  54.3MB
- MD5
  
  afbf73c1469b3641f62cccb2b0bb178a
- SHA1
  
  633fd0c782856aba35f718c6806a8693fc2a5689
- SHA256
  
  e308b5f5029ee8f51f866beee18370456632409cd34a77e7992ae82ab282cdb6
- SHA512
  
  b92be4412e560f3103252a98371c9e0b1a5fde0aaa1016a146988dd0a34acd7d8f43aefcfdd6dd4d53c6058ff5a2b649ae35402996a3b4db2557b010923eaa6b
- SSDEEP
  
  786432:kErzXzCnli5q0Nl+nIgX9mt9Pfn8qjeoiMyIDbbLJsaC+lLft7NmkudZ0/4YTx6V:RrvCnMjkmjfn8qjem6Rat7b4kl/F0
Score

10^/10

gh0strat purplefox aspackv2 discovery persistence privilege_escalation rat rootkit spyware stealer trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Purplefox family
  purplefox
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxaspackv2discoverypersistenceprivilege_escalationratrootkitspywarestealertrojan

behavioral2

gh0stratpurplefoxaspackv2discoverypersistenceprivilege_escalationratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy