gh0strat | 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
Size

2.0MB
MD5

c37ec28ac7d470aec71fbf5292cc29af
SHA1

bcaea4cd253a461bccde525a98a786b0fa1727c9
SHA256

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c
SHA512

7edcdafdd29f653a96e9d1da440769d4c17a91afb494f963da714273a05dc5d60e0ae1cbc460412ca09a3a59536647bd48557a829f93b62da94298eacde4cb7e
SSDEEP

49152:zQZAdVyVT9n/Gg0P+WhozpeLEZPItx2apeapelI:0GdVyVT9nOgmhDLltUvlI

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2100-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2100-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2100-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2364-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2364-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2736-31-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2736-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2736-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2100-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2100-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2100-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2364-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2364-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2736-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\259421893.txt	family_gh0strat
behavioral1/memory/2736-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2736-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
persistence

Terminal Services DLL
T1505.005

Processes:

svchos.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259421893.txt" svchos.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

TXPlatforn.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe
Executes dropped EXE 6 IoCs

Processes:

svchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid process

2100 svchost.exe
2364 TXPlatforn.exe
2736 TXPlatforn.exe
2716 svchos.exe
2532 HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
1588 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259421893.txt"	svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

pid	process
2100	svchost.exe
2364	TXPlatforn.exe
2736	TXPlatforn.exe
2716	svchos.exe
2532	HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
1588	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 8 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exeTXPlatforn.exesvchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
2364	TXPlatforn.exe
1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
2716	svchos.exe
2500	svchost.exe
1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
2500	svchost.exe
1588	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2100-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2100-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2100-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2100-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2364-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2364-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2736-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2736-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2736-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchos.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\259421893.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2508 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid process

1152 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2736 TXPlatforn.exe

pid	process
2508	PING.EXE

pid	process
2736	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2100	svchost.exe
Token: SeLoadDriverPrivilege	2736	TXPlatforn.exe
Token: 33	2736	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2736	TXPlatforn.exe
Token: 33	2736	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2736	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid process

1152 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
1152 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exesvchost.exeTXPlatforn.execmd.exesvchost.exe

description	pid	process	target process
PID 1152 wrote to memory of 2100	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 1152 wrote to memory of 2100	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 1152 wrote to memory of 2100	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 1152 wrote to memory of 2100	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 1152 wrote to memory of 2100	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 1152 wrote to memory of 2100	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 1152 wrote to memory of 2100	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 2100 wrote to memory of 2728	2100	svchost.exe	cmd.exe
PID 2100 wrote to memory of 2728	2100	svchost.exe	cmd.exe
PID 2100 wrote to memory of 2728	2100	svchost.exe	cmd.exe
PID 2100 wrote to memory of 2728	2100	svchost.exe	cmd.exe
PID 1152 wrote to memory of 2716	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchos.exe
PID 1152 wrote to memory of 2716	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchos.exe
PID 1152 wrote to memory of 2716	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchos.exe
PID 1152 wrote to memory of 2716	1152	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchos.exe
PID 2364 wrote to memory of 2736	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 2736	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 2736	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 2736	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 2736	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 2736	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2364 wrote to memory of 2736	2364	TXPlatforn.exe	TXPlatforn.exe
PID 2728 wrote to memory of 2508	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 2508	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 2508	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 2508	2728	cmd.exe	PING.EXE
PID 2500 wrote to memory of 1588	2500	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2500 wrote to memory of 1588	2500	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2500 wrote to memory of 1588	2500	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2500 wrote to memory of 1588	2500	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Users\Admin\AppData\Local\Temp\8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
"C:\Users\Admin\AppData\Local\Temp\8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2508

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716

C:\Users\Admin\AppData\Local\Temp\HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
C:\Users\Admin\AppData\Local\Temp\HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259421893.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.3MB

MD5
1d11509b592835454704b96d200d58f5

SHA1
8f27489600453cc398db7676247022b0de4ec725

SHA256
090b2121231418f48a63a21c7ef16a5e05d280898946c2a5850267088b23043c

SHA512
7d2766b44d03162f45206d49c917383dea801e1ec14af356efdf945839b7e344feae119ab6a0fdd5b3a628710248f6cb1511ede7d8fefe3a79931714c1ab9ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe
Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
\Users\Admin\AppData\Local\Temp\HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
Filesize
645KB

MD5
00eae789b0aab1b0fbd23b830fbf1064

SHA1
e4e5fd089f6ae17c83f073cf91edc9db8189980d

SHA256
7addb2269266ac471a690802cab54539b40c2ae5b31e2120fdcf8dfb0ed15dc7

SHA512
23a0e06b39f8b5a932ae5b8f60704ba265332b341ac8bab5b74b2f31f04ce8c7fe6f77278d70c7685cfa894ab0e25a70d89990f5f643b54c07337f90fa5943fb

Download Submit
\Windows\SysWOW64\259421893.txt
Filesize
50KB

MD5
a63efc712a5f168adc07c3114a7d065c

SHA1
b473194357ef6036d74a1f53efe9394c89bd1860

SHA256
bc72d5d4f5ad7468e88b180b7ed223ca37a20a6bfd12ef9b809f3ccc8d51c3d8

SHA512
61bf4804eefc3f9681cbf181f68b4f0c86185f5bce3b8db696ffd09479ffa53acbec6b000b204088dd2238b8edd753c52a485906e0082de3ae28f22cff9f248e

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2100-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2100-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2100-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2100-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2364-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2364-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2736-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2736-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2736-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download