gh0strat | b8f70b0e7640bc7a6556b9db8a67229e0bdb95ce52ba6bb4c4cc5823d722bb4b | Triage

Submit
Reports

Overview

overview

Static

static

1

luoma2 (2).msi

windows10-2004-x64

luoma2 (2).msi

windows11-21h2-x64

Sharing

General

Target

b8f70b0e7640bc7a6556b9db8a67229e0bdb95ce52ba6bb4c4cc5823d722bb4b
Size

3.9MB
Sample

250415-rkxl1ay1h1
MD5

420565bc2c05b356deef986cbd8c9369
SHA1

86b23f5f239c48dd796b0e6edb0a3918ade1f534
SHA256

b8f70b0e7640bc7a6556b9db8a67229e0bdb95ce52ba6bb4c4cc5823d722bb4b
SHA512

d88a57b544c0e95579ea7a16ed9f24b7caf5fb1a522e77f82a15e0bd7caa72672c083b87e3f7aac94dc6b5a1895d9effee5cd7a9bd1fe2fcb48b2edd3df04a58
SSDEEP

98304:CbJW/Moe49DlOZw7E5Tdi0K9w+UGZjLLGU4Ar8md5SsZ:WkxNDl2wA5Tdipuk5GU4vwJZ

Score

10^/10

gh0strat purplefox discovery execution rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

luoma2 (2).msi

Resource

win10v2004-20250313-en

gh0strat purplefox discovery execution rat rootkit trojan

windows10-2004-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

luoma2 (2).msi

Resource

win11-20250410-en

gh0strat purplefox discovery execution rat rootkit trojan

windows11-21h2-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  luoma2 (2).msi
- Size
  
  3.9MB
- MD5
  
  daa3ec4cd16303cd510f8c95ebbfb8fd
- SHA1
  
  304c9caf4edc41e9a0ecfd6115cc684f9e23a316
- SHA256
  
  65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a
- SHA512
  
  0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc
- SSDEEP
  
  98304:18+N9QHCaCS1B1a/OxyzH7usEdKMUWnVf3CYk4p20B7Kk:1NKvFB1aOAzH7u1c6pCYk9A9
Score

10^/10

gh0strat purplefox discovery execution rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Purplefox family
  purplefox
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxdiscoveryexecutionratrootkittrojan

behavioral2

gh0stratpurplefoxdiscoveryexecutionratrootkittrojan

© 2018-2025

Terms | Privacy