Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
28/08/2023, 17:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c98bc48d85d18493fedbb3e8f0763c4e51fe2f42686788cd8d7235fd9d3757e.dll
Resource
win7-20230712-en
6 signatures
150 seconds
General
-
Target
5c98bc48d85d18493fedbb3e8f0763c4e51fe2f42686788cd8d7235fd9d3757e.dll
-
Size
3.0MB
-
MD5
c1d9869d4fca879aea2a066883d1f80e
-
SHA1
04ab98b5130eefd3fc700b3b222c49750e1856d4
-
SHA256
5c98bc48d85d18493fedbb3e8f0763c4e51fe2f42686788cd8d7235fd9d3757e
-
SHA512
93b8cea2e01f3fb69f7321532e2e6f04ee9716ee2db3c751e4f4e526283964f89ec2dea8e99f3faa67249a81f459fb11f979a56183e236203ca472cdeb5430b6
-
SSDEEP
49152:jogGkSPwrhh+vDDpQFDb0O3AfVI8tdjEcFiD:jfGkSChaDDpQlbpEI8Hu
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2464-0-0x0000000002000000-0x0000000002192000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2464-0-0x0000000002000000-0x0000000002192000-memory.dmp family_gh0strat -
Blocklisted process makes network request 7 IoCs
flow pid Process 2 2464 rundll32.exe 5 2464 rundll32.exe 6 2464 rundll32.exe 7 2464 rundll32.exe 8 2464 rundll32.exe 9 2464 rundll32.exe 10 2464 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1880 wrote to memory of 2464 1880 rundll32.exe 28 PID 1880 wrote to memory of 2464 1880 rundll32.exe 28 PID 1880 wrote to memory of 2464 1880 rundll32.exe 28 PID 1880 wrote to memory of 2464 1880 rundll32.exe 28 PID 1880 wrote to memory of 2464 1880 rundll32.exe 28 PID 1880 wrote to memory of 2464 1880 rundll32.exe 28 PID 1880 wrote to memory of 2464 1880 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c98bc48d85d18493fedbb3e8f0763c4e51fe2f42686788cd8d7235fd9d3757e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c98bc48d85d18493fedbb3e8f0763c4e51fe2f42686788cd8d7235fd9d3757e.dll,#12⤵
- Blocklisted process makes network request
PID:2464
-