gh0strat

General

Target

6ee3cdd63e24d98facfe0db4e592af990b5b30a1572a9fb94722bb0df0409060
Size

1.2MB
Sample

250307-cv81fssvaz
MD5

92cbc81ec344880ebe62228b6d57c577
SHA1

39313001229c47c45d49809753023c653013e4c2
SHA256

6ee3cdd63e24d98facfe0db4e592af990b5b30a1572a9fb94722bb0df0409060
SHA512

ca34819e9c52410f2bcd6f8beee75fe876978ad668fc8c280ae613600812e61352e048e5f422c29635399aec5a63fbe5f8bafb08c9053d3d148e80ed1b96ea9d
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtic:WIwgMEuy+inDfp3/XoCw57XYBwKc

Score

10^/10

Malware Config

Targets

- Target
  
  6ee3cdd63e24d98facfe0db4e592af990b5b30a1572a9fb94722bb0df0409060
- Size
  
  1.2MB
- MD5
  
  92cbc81ec344880ebe62228b6d57c577
- SHA1
  
  39313001229c47c45d49809753023c653013e4c2
- SHA256
  
  6ee3cdd63e24d98facfe0db4e592af990b5b30a1572a9fb94722bb0df0409060
- SHA512
  
  ca34819e9c52410f2bcd6f8beee75fe876978ad668fc8c280ae613600812e61352e048e5f422c29635399aec5a63fbe5f8bafb08c9053d3d148e80ed1b96ea9d
- SSDEEP
  
  24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtic:WIwgMEuy+inDfp3/XoCw57XYBwKc
Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx vmprotect
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Purplefox family
  purplefox
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
  persistence
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2