Shellex
Behavioral task
behavioral1
Sample
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69.dll
Resource
win10v2004-20241007-en
General
-
Target
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69.dll
-
Size
1.2MB
-
MD5
791a88d0cafa95f8fa4a548f242f032a
-
SHA1
ea872c3ecd14e55ec4b013278aed286b0da9e1ed
-
SHA256
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
-
SHA512
ef6357e33a2c0962b66485d03f51bcab1456eb3985113c074ad5524dab98e8cdd82fba0f281ca3b7f3f2d71f274cd65b797c0c66f4c33bdae8b60b4a8293355c
-
SSDEEP
24576:wTuZCN0qRwoDFGMmtci8l8cq1PXv0uM5GrkQPXHMtR1tD1bqtT6RqK0Xcda:PgZrLsT6a
Malware Config
Signatures
-
Processes:
resource yara_rule sample purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule sample family_gh0strat -
Gh0strat family
-
Purplefox family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69.dll
Files
-
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69.dll.dll windows:4 windows x86 arch:x86
6718574bfa82ab04bcaf82fa9136fc6c
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
kernel32
Process32First
GetSystemDirectoryA
TerminateProcess
OpenProcess
ExitProcess
GetVersion
DeviceIoControl
Beep
GetVersionExA
GetModuleFileNameA
WinExec
TerminateThread
GetTickCount
GetCommandLineA
FreeConsole
GetCurrentProcessId
GetConsoleProcessList
AttachConsole
GetWindowsDirectoryA
WideCharToMultiByte
MultiByteToWideChar
GlobalSize
QueryPerformanceFrequency
QueryPerformanceCounter
LoadLibraryW
GlobalMemoryStatusEx
GetDriveTypeA
ReleaseMutex
CreateMutexA
GetCurrentThread
GetEnvironmentVariableA
GetCurrentThreadId
CreatePipe
CopyFileA
lstrcpyW
Module32Next
lstrcmpiA
Module32First
CreateRemoteThread
GetProcessId
ResumeThread
OpenThread
Thread32Next
Thread32First
SuspendThread
Process32Next
GlobalMemoryStatus
GetComputerNameA
GetPrivateProfileStringA
SystemTimeToTzSpecificLocalTime
lstrcpynA
lstrcmpA
lstrcatA
CreateProcessA
GetProcAddress
lstrcpyA
CreateDirectoryA
GetLastError
DeleteFileA
GetCurrentProcess
IsWow64Process
SetFilePointer
WriteFile
CreateFileA
GetFileSize
ReadFile
lstrlenA
FreeLibrary
IsBadReadPtr
VirtualProtect
HeapReAlloc
HeapAlloc
GetProcessHeap
HeapFree
CancelIo
SetEvent
ResetEvent
CreateEventA
LocalAlloc
LocalReAlloc
LocalSize
LocalFree
Sleep
GetFileAttributesA
GetModuleHandleA
GetLocalTime
GlobalAlloc
GlobalLock
GlobalFree
GlobalUnlock
CreateThread
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
InterlockedExchange
CreateToolhelp32Snapshot
GetFileAttributesExA
FileTimeToSystemTime
MoveFileA
SetFileAttributesA
RemoveDirectoryA
FindFirstFileA
FindNextFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetPriorityClass
GetDiskFreeSpaceExA
WaitForSingleObject
CloseHandle
LoadLibraryA
GetSystemInfo
user32
SetRect
GetCursorPos
GetCursorInfo
PostMessageA
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
SystemParametersInfoA
ReleaseDC
BlockInput
DestroyCursor
LoadCursorA
GetDC
GetSystemMetrics
ChangeDisplaySettingsA
FindWindowA
ShowWindow
MoveWindow
GetWindowRect
SwapMouseButton
ExitWindowsEx
EnumWindows
GetKeyState
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
CharNextA
GetDesktopWindow
wsprintfA
EmptyClipboard
SetClipboardData
OpenClipboard
GetClipboardData
CloseClipboard
GetWindowLongA
PostQuitMessage
SetWindowLongA
LoadIconA
SetClassLongA
DestroyWindow
SetFocus
GetWindowTextLengthA
SetWindowTextA
SetDlgItemTextA
CreateDialogIndirectParamA
GetDlgItem
SetWindowPos
OpenInputDesktop
GetDlgItemTextA
CloseDesktop
GetThreadDesktop
GetUserObjectInformationA
SetThreadDesktop
GetWindowThreadProcessId
WaitForInputIdle
GetClassNameA
GetWindow
GetLastInputInfo
IsIconic
MessageBoxA
IsWindowVisible
GetMessageA
IsDialogMessageA
TranslateMessage
SendMessageA
DispatchMessageA
gdi32
GetDeviceCaps
CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
GetRegionData
CombineRgn
CreateRectRgnIndirect
GetDIBits
CreateCompatibleBitmap
SelectObject
advapi32
RegOpenKeyA
GetTokenInformation
LookupAccountSidA
AbortSystemShutdownA
RegCloseKey
RegOpenKeyExA
GetUserNameA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
RegCreateKeyA
StartServiceA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
SetServiceStatus
DeleteService
FreeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AllocateAndInitializeSid
RegEnumValueA
RegEnumKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegQueryInfoKeyA
RegCreateKeyExA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
ControlService
QueryServiceStatus
QueryServiceConfig2A
QueryServiceConfigA
EnumServicesStatusA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CheckTokenMembership
shell32
ShellExecuteExA
SHGetFolderPathA
SHGetSpecialFolderPathA
SHGetFileInfoA
ShellExecuteA
ole32
CoUninitialize
CoCreateInstance
CoInitialize
oleaut32
SysFreeString
mfc42
ord825
ord823
ord801
ord540
ord541
ord800
ord3811
ord860
ord2614
ord668
ord6883
ord941
ord3181
ord3304
ord3010
ord3310
ord3324
ord4215
ord1980
ord3178
ord4058
ord2781
ord2770
ord922
ord537
ord858
ord356
ord1979
ord2764
ord6874
ord5572
ord5442
ord2915
ord4204
ord665
ord5186
ord354
ord6143
ord2818
ord4202
ord924
ord926
ord3663
ord6876
ord939
ord536
ord535
ord5710
ord6282
ord2763
ord4278
ord6662
ord4129
ord2784
ord6283
ord940
ord5440
ord6383
ord6394
ord2919
ord5450
msvcrt
_adjust_fdiv
_initterm
_onexit
__dllonexit
??1type_info@@UAE@XZ
_snprintf
swprintf
_splitpath
strncpy
atol
strncat
realloc
fgets
srand
time
isdigit
_iob
_access
wcstombs
mbstowcs
_errno
_wcsupr
_strcmpi
_itoa
_strnicmp
fprintf
sscanf
getenv
vsprintf
exit
__CxxFrameHandler
memmove
ceil
_ftol
strstr
wcslen
wcscpy
sprintf
printf
fclose
fopen
remove
atoi
free
malloc
strncmp
_CIpow
floor
strchr
tolower
_CxxThrowException
_stricmp
_except_handler3
strrchr
_strlwr
wcsstr
rand
system
msvcp60
??0_Lockit@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?_Xlen@std@@YAXXZ
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
winmm
mciSendStringA
waveInGetNumDevs
ws2_32
gethostname
inet_addr
getsockname
bind
getpeername
accept
listen
sendto
recvfrom
ntohs
inet_ntoa
send
closesocket
recv
select
gethostbyname
connect
setsockopt
WSAIoctl
WSACleanup
WSAStartup
__WSAFDIsSet
ioctlsocket
socket
htons
iphlpapi
GetIfTable
dwmapi
DwmIsCompositionEnabled
ord102
shlwapi
PathFindFileNameA
PathUnquoteSpacesA
PathRemoveArgsA
PathGetArgsA
SHDeleteKeyA
wininet
InternetGetConnectedState
InternetReadFile
HttpSendRequestA
InternetOpenUrlA
HttpOpenRequestA
InternetOpenA
InternetConnectA
InternetCloseHandle
HttpQueryInfoA
netapi32
NetUserSetInfo
NetUserAdd
NetUserGetLocalGroups
NetApiBufferFree
NetUserGetInfo
NetUserEnum
NetLocalGroupAddMembers
NetUserDel
psapi
GetProcessMemoryInfo
GetModuleFileNameExA
wtsapi32
WTSEnumerateSessionsA
WTSDisconnectSession
WTSLogoffSession
WTSQuerySessionInformationA
WTSFreeMemory
WTSQuerySessionInformationW
Exports
Exports
Sections
.text Size: 608KB - Virtual size: 607KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rodata Size: 12KB - Virtual size: 11KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rotext Size: 108KB - Virtual size: 107KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 268KB - Virtual size: 265KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 200KB - Virtual size: 634KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 4KB - Virtual size: 16B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 36KB - Virtual size: 32KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ