gh0strat | 5568eef4606c4a429b65e9a0a13aa4859e4495d6eb57ddf127e1ee6c4262cb9d

Sharing

Copy URL Twitter E-mail

General

Target

5568eef4606c4a429b65e9a0a13aa4859e4495d6eb57ddf127e1ee6c4262cb9d
Size

1.2MB
MD5

148687e198421b2a925b1b4d3522d988
SHA1

e8d00008db77a89be8244eaacfcc570bf19e83b6
SHA256

5568eef4606c4a429b65e9a0a13aa4859e4495d6eb57ddf127e1ee6c4262cb9d
SHA512

bd32551146376ad54027d58ae619f9fb151c205f543e31861de9f89cea2e4a6f0d3e35e60d13ea41d5a461fe6a51dc6b4089048004920b3c7c3a4ccc8bef6442
SSDEEP

24576:pOWlaBGHdl3O+vvCiruOuPk1jiI8M5270AfHXMtRrrN9TlTrtTwr0K0vN:3g8brlhTw2

Score

10^/10

rootkit gh0strat purplefox

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
sample	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat
Purplefox family
purplefox

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
5568eef4606c4a429b65e9a0a13aa4859e4495d6eb57ddf127e1ee6c4262cb9d

Files

5568eef4606c4a429b65e9a0a13aa4859e4495d6eb57ddf127e1ee6c4262cb9d
.dll windows:4 windows x86

93a172ff3ea25269db1c0b8bd38d8cfd

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateToolhelp32Snapshot
Process32Next
Process32First
GetWindowsDirectoryA
CopyFileA
lstrcmpA
OpenProcess
TerminateProcess
OutputDebugStringA
GlobalSize
QueryPerformanceFrequency
QueryPerformanceCounter
GetVersionExA
WinExec
ExitProcess
GetVersion
DeviceIoControl
Beep
MoveFileExA
GetModuleFileNameA
TerminateThread
GetTickCount
GetCommandLineA
FreeConsole
GetCurrentProcessId
GetConsoleProcessList
AttachConsole
GetShortPathNameA
WideCharToMultiByte
MultiByteToWideChar
GetFileAttributesExA
GetPrivateProfileStringA
GlobalMemoryStatusEx
GetSystemInfo
GetSystemDirectoryW
GetModuleFileNameW
WritePrivateProfileStringA
GetCurrentThread
GetEnvironmentVariableA
CreateMutexA
GetCurrentThreadId
SetThreadPriority
SetPriorityClass
lstrcpyW
Module32Next
lstrcmpiA
Module32First
CreateRemoteThread
GetProcessId
ResumeThread
OpenThread
Thread32Next
Thread32First
SuspendThread
GetPriorityClass
GlobalMemoryStatus
GetComputerNameA
SystemTimeToTzSpecificLocalTime
lstrcpynA
GetFullPathNameW
CreateFileW
GetModuleHandleW
FileTimeToSystemTime
MoveFileA
SetFileAttributesA
RemoveDirectoryA
FindFirstFileA
FindNextFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
CreateProcessA
GetProcAddress
lstrcpyA
CreateDirectoryA
GetLastError
DeleteFileA
GetCurrentProcess
IsWow64Process
SetFilePointer
WriteFile
LocalSize
GetSystemDirectoryA
GetFileAttributesA
CreateFileA
GetFileSize
ReadFile
lstrlenA
LocalReAlloc
LocalAlloc
LocalFree
FreeLibrary
IsBadReadPtr
VirtualProtect
HeapReAlloc
HeapAlloc
GetProcessHeap
HeapFree
Sleep
CancelIo
SetEvent
ResetEvent
CreateEventA
GetModuleHandleA
GetLocalTime
GlobalAlloc
GlobalLock
GlobalFree
GlobalUnlock
CreateThread
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
InterlockedExchange
WaitForSingleObject
CloseHandle
LoadLibraryA
LoadLibraryW

user32

MessageBoxA
CharNextA
ChangeDisplaySettingsA
GetSystemMetrics
GetDC
LoadCursorA
DestroyCursor
ReleaseDC
CloseDesktop
FindWindowA
BlockInput
SetThreadDesktop
CreateDesktopA
OpenDesktopA
SystemParametersInfoA
ChildWindowFromPoint
ScreenToClient
MoveWindow
GetMenuItemID
MenuItemFromPoint
RealGetWindowClassA
PtInRect
GetWindowRect
GetWindowPlacement
PostMessageA
WindowFromPoint
wsprintfA
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetWindow
GetTopWindow
IsWindowVisible
PrintWindow
GetCursorInfo
GetCursorPos
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
EnumWindows
ExitWindowsEx
SwapMouseButton
OpenInputDesktop
GetThreadDesktop
GetUserObjectInformationA
GetWindowThreadProcessId
WaitForInputIdle
GetDesktopWindow
GetClassNameA
GetLastInputInfo
keybd_event
DefWindowProcA
CreateWindowExA
RegisterClassExA
CharLowerBuffA
SendMessageA
DispatchMessageA
TranslateMessage
ShowWindow
GetWindowLongA
PostQuitMessage
SetWindowLongA
LoadIconA
SetClassLongA
DestroyWindow
GetDlgItemTextA
SetFocus
GetWindowTextLengthA
SetWindowTextA
SetDlgItemTextA
CreateDialogIndirectParamA
GetDlgItem
SetWindowPos
GetMessageA
IsDialogMessageA
SetRect
SetCursorPos
SetCapture
mouse_event
MapVirtualKeyA
CloseClipboard

gdi32

GetDIBits
CreateRectRgnIndirect
CombineRgn
GetRegionData
CreateCompatibleBitmap
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
GetDeviceCaps

advapi32

ControlService
GetTokenInformation
LookupAccountSidA
AbortSystemShutdownA
RegOpenKeyA
RegFlushKey
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
EnumServicesStatusA
QueryServiceConfigA
QueryServiceConfig2A
QueryServiceStatus
RegCloseKey
RegQueryValueA
RegOpenKeyExA
GetUserNameA
RegSetValueExA
RegQueryValueExA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegCreateKeyA
StartServiceA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
SetServiceStatus
DeleteService
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegQueryInfoKeyA
RegCreateKeyExA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase

shell32

SHAppBarMessage
SHGetSpecialFolderPathA
SHChangeNotify
ShellExecuteExA
SHGetFolderPathA
SHGetFileInfoA

ole32

CoUninitialize
CoCreateInstance
CoInitialize
CoCreateGuid

oleaut32

SysFreeString

mfc42

ord6283
ord4129
ord6662
ord4278
ord2763
ord6282
ord5710
ord535
ord536
ord939
ord6876
ord3663
ord926
ord924
ord4202
ord2818
ord6143
ord354
ord5186
ord665
ord4204
ord2915
ord5442
ord5572
ord6874
ord2764
ord1979
ord356
ord858
ord537
ord922
ord2770
ord2781
ord4058
ord3178
ord1980
ord4215
ord3324
ord3310
ord3010
ord3304
ord3181
ord941
ord6883
ord668
ord2614
ord860
ord3811
ord800
ord541
ord540
ord801
ord825
ord823
ord940
ord5440
ord6383
ord5450
ord6394
ord2919
ord2784

msvcrt

_splitpath
strncpy
atol
strncat
realloc
_snprintf
wcscat
printf
atoi
_findclose
_findnext
_findfirst
swprintf
time
exit
_errno
mbstowcs
wcstombs
??1type_info@@UAE@XZ
__dllonexit
_onexit
_initterm
_adjust_fdiv
_access
__CxxFrameHandler
_iob
ceil
_ftol
strstr
wcslen
wcscpy
sprintf
free
malloc
strncmp
system
floor
strchr
tolower
_CxxThrowException
_stricmp
_except_handler3
strrchr
_strlwr
wcsstr
srand
rand
_wcsupr
_strcmpi
_itoa
_strnicmp
fprintf
sscanf
getenv
vsprintf
_CIpow
memmove

msvcp60

??1_Lockit@std@@QAE@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
??1_Winit@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0Init@ios_base@std@@QAE@XZ
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
??0_Lockit@std@@QAE@XZ

winmm

mciSendStringA
waveInGetNumDevs

ws2_32

listen
__WSAFDIsSet
ioctlsocket
recvfrom
sendto
inet_ntoa
accept
getpeername
bind
getsockname
inet_addr
gethostname
ntohs
WSAStartup
send
closesocket
recv
select
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket

iphlpapi

GetIfTable

shlwapi

PathStripPathA
PathGetArgsA
PathRemoveArgsA
PathUnquoteSpacesA
PathFindFileNameA
StrStrA
SHDeleteKeyA

urlmon

URLDownloadToFileA

wininet

InternetReadFile
InternetOpenUrlA
InternetGetConnectedState
InternetOpenA
InternetConnectA
InternetCloseHandle
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA

netapi32

NetUserAdd
NetUserGetLocalGroups
NetApiBufferFree
NetUserGetInfo
NetUserDel
NetUserSetInfo
NetLocalGroupAddMembers
NetUserEnum

psapi

GetProcessMemoryInfo
GetModuleFileNameExA

wtsapi32

WTSEnumerateSessionsA
WTSQuerySessionInformationW
WTSDisconnectSession
WTSLogoffSession
WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

Shellex

Sections

.text
Size: 620KB - Virtual size: 619KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rotext
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 268KB - Virtual size: 266KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 200KB - Virtual size: 637KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

93a172ff3ea25269db1c0b8bd38d8cfd

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

mfc42

msvcrt

msvcp60

winmm

ws2_32

iphlpapi

shlwapi

urlmon

wininet

netapi32

psapi

wtsapi32

Exports

Exports

Sections

.text Size: 620KB - Virtual size: 619KB

.rodata Size: 12KB - Virtual size: 11KB

.rotext Size: 108KB - Virtual size: 107KB

.rdata Size: 268KB - Virtual size: 266KB

.data Size: 200KB - Virtual size: 637KB

.rsrc Size: 16KB - Virtual size: 12KB

.reloc Size: 36KB - Virtual size: 32KB

.text
Size: 620KB - Virtual size: 619KB

.rodata
Size: 12KB - Virtual size: 11KB

.rotext
Size: 108KB - Virtual size: 107KB

.rdata
Size: 268KB - Virtual size: 266KB

.data
Size: 200KB - Virtual size: 637KB

.rsrc
Size: 16KB - Virtual size: 12KB

.reloc
Size: 36KB - Virtual size: 32KB