gh0strat | 08bbbfaeb90b044c848b005c2c80637b54b361da9eb303b045c4bab650ae876c

Sharing

Copy URL Twitter E-mail

General

Target

08bbbfaeb90b044c848b005c2c80637b54b361da9eb303b045c4bab650ae876c
Size

278KB
MD5

0be794e441b956898b5539f599bae049
SHA1

8678a3b1540db4c98cc2d947815fc2d8dec0998e
SHA256

08bbbfaeb90b044c848b005c2c80637b54b361da9eb303b045c4bab650ae876c
SHA512

2feb5b35d93d3ceabc9c0f1a81cfd5eb90a2cfa52b0f752be2e4d3d6715e0d0e4201e4e52e0386e4737b6679423d995f748d8f625d60a690b2c89db35c10cc7b
SSDEEP

6144:ldutY1Jr89VPKh9hHaBbj8cdWoFJHKmAuML15IO4GawuRSrU9du:Tmor89ViHhHadFJKJdr84r9

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
static1/unpack001/DNF刷商城工具.exe	family_gh0strat

Gh0strat family
gh0strat

Files

08bbbfaeb90b044c848b005c2c80637b54b361da9eb303b045c4bab650ae876c
.rar
DNF刷商城工具.exe
.exe windows x86

5cf87cce343affca7626f5bbab72e012

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapFree
GetProcAddress
GetModuleHandleA
HeapAlloc
GetProcessHeap
GetLastError
lstrcatA
ExitProcess
WideCharToMultiByte
MultiByteToWideChar
GetSystemDirectoryA
DeleteFileA
SetFileAttributesA
MoveFileA
FreeResource
CloseHandle
lstrlenA
WriteFile
SizeofResource
SetFileTime
LocalFileTimeToFileTime
SystemTimeToFileTime
CreateFileA
LoadResource
FindResourceA
GetTickCount
GetTempPathA
lstrcpyA
lstrcmpiA
SetLastError
GetFileAttributesA
ReadFile
SetFilePointer
GetModuleFileNameA
Process32Next
Process32First
CreateToolhelp32Snapshot
LockResource
SetUnhandledExceptionFilter
GetCommandLineA
GetCurrentThreadId
Sleep
LoadLibraryA
RaiseException
InterlockedExchange
LocalAlloc
FreeLibrary
GetStartupInfoA

msvcrt

__CxxFrameHandler
_CxxThrowException
??3@YAXPAX@Z
fclose
fwrite
fopen
strstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
??2@YAPAXI@Z
strchr
malloc
realloc
_except_handler3

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 131KB - Virtual size: 130KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
tak_deco_lib.dll
.dll windows x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

tak_APE_GetDesc
tak_APE_GetErrorString
tak_APE_GetIndexOfKey
tak_APE_GetItemDesc
tak_APE_GetItemKey
tak_APE_GetItemNum
tak_APE_GetItemValue
tak_APE_GetTextItemValueAsAnsi
tak_APE_ReadOnly
tak_APE_State
tak_APE_Valid
tak_GetCodecName
tak_GetLibraryVersion
tak_SSD_Create_FromFile
tak_SSD_Create_FromStream
tak_SSD_Destroy
tak_SSD_GetAPEv2Tag
tak_SSD_GetCurFrameBitRate
tak_SSD_GetEncoderInfo
tak_SSD_GetErrorString
tak_SSD_GetFrameSize
tak_SSD_GetReadPos
tak_SSD_GetSimpleWaveDataDesc
tak_SSD_GetStateInfo
tak_SSD_GetStreamInfo
tak_SSD_ReadAudio
tak_SSD_ReadSimpleWaveData
tak_SSD_Seek
tak_SSD_State
tak_SSD_Valid

Sections

CODE
Size: 78KB - Virtual size: 77KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1024B - Virtual size: 970B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ttpcomm.dll
.dll windows x86

f4f71f9e72b0d1063528989ca1132e56

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

pow
cos
rand
sin
log
strlen
strncmp
memchr
strcmp
??3@YAXPAX@Z
memset
strcpy
sqrt
free
_adjust_fdiv
_initterm
floor
calloc
_CIpow
fabs
??2@YAPAXI@Z
isalnum
sprintf
strncpy
srand
realloc
malloc
memmove
ceil
memcpy
exp
_purecall

kernel32

FlushInstructionCache
SetLastError
GetSystemInfo
VirtualAlloc
VirtualProtect
DeviceIoControl
CloseHandle
CreateFileA
SetPriorityClass
GetCurrentProcess
GetVersionExA
DisableThreadLibraryCalls
MulDiv
HeapAlloc
GetProcessHeap
ExitProcess
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
lstrcatA
lstrcpyA
lstrlenA
GetModuleFileNameA
RtlUnwind
InterlockedExchange
VirtualQuery
HeapFree
GetVersion

iphlpapi

GetAdaptersInfo

user32

RemovePropA
SetPropA
GetClientRect
GetWindowLongA
FillRect
GetSysColor
DrawFrameControl
SetRect
GetSystemMetrics
GetSysColorBrush
DrawEdge
GetWindowRect
GetParent
OffsetRect
GetWindowDC
ReleaseDC
CopyRect
MapWindowPoints
CallWindowProcA
PtInRect
SetCapture
SetTimer
KillTimer
ReleaseCapture
GetMessagePos
ScreenToClient
GetCursorPos
ShowScrollBar
SetWindowLongA
SetScrollInfo
SetScrollPos
GetScrollRange
GetScrollPos
GetScrollInfo
EnableScrollBar
SendMessageA
SetWindowPos
GetPropA
MessageBoxA
SetScrollRange

gdi32

ExtTextOutA
CreatePatternBrush
SetBrushOrgEx
PatBlt
CreateCompatibleDC
CreateBitmap
UnrealizeObject
SelectObject
CreateCompatibleBitmap
SetBkColor
BitBlt
GetStockObject
SetTextColor
DeleteObject
DeleteDC

Exports

Exports

_resetstkoflw
_set_security_error_handler
lrand48
srand48
ttpcomm_getversion

Sections

.text
Size: 145KB - Virtual size: 144KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

text
Size: 512B - Virtual size: 119B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
打不开点我.exe
.exe windows x86

e031dd41de59d914a5e4bd641c1f5a29

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcAddress
LoadLibraryA
lstrcatA
GetModuleHandleA
GetLastError
FreeLibrary
CloseHandle
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
DeleteFileA
MoveFileA
lstrlenA
SetFileTime
LocalFileTimeToFileTime
FindFirstFileA
CreateFileA
GetTickCount
ReadFile
SetFilePointer
GetLocalTime
SizeofResource
LockResource
LoadResource
FindResourceA
ExitProcess
WinExec
GetModuleFileNameA
CopyFileA
ReleaseMutex
CreateMutexA
GetCommandLineA
CreateThread
Sleep
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA

msvcrt

memset
strlen
??2@YAPAXI@Z
malloc
??3@YAXPAX@Z
fclose
fwrite
fopen
sprintf
strstr
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
strchr
_except_handler3
_strcmpi
_strrev

Exports

Exports

go
heart

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 193KB - Virtual size: 193KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5cf87cce343affca7626f5bbab72e012

Headers

File Characteristics

Imports

kernel32

msvcrt

Sections

.text Size: 12KB - Virtual size: 11KB

.rsrc Size: 131KB - Virtual size: 130KB

Headers

File Characteristics

Exports

Exports

Sections

CODE Size: 78KB - Virtual size: 77KB

DATA Size: 4KB - Virtual size: 4KB

BSS Size: - Virtual size: 2KB

.idata Size: 2KB - Virtual size: 1KB

.edata Size: 1024B - Virtual size: 970B

.reloc Size: 5KB - Virtual size: 4KB

.rsrc Size: 5KB - Virtual size: 5KB

f4f71f9e72b0d1063528989ca1132e56

Headers

File Characteristics

Imports

msvcrt

kernel32

iphlpapi

user32

gdi32

Exports

Exports

Sections

.text Size: 145KB - Virtual size: 144KB

text Size: 512B - Virtual size: 119B

.rdata Size: 20KB - Virtual size: 20KB

.data Size: 26KB - Virtual size: 150KB

.tls Size: 512B - Virtual size: 28B

.reloc Size: 8KB - Virtual size: 8KB

e031dd41de59d914a5e4bd641c1f5a29

Headers

File Characteristics

Imports

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 11KB - Virtual size: 10KB

.rsrc Size: 193KB - Virtual size: 193KB

.text
Size: 12KB - Virtual size: 11KB

.rsrc
Size: 131KB - Virtual size: 130KB

CODE
Size: 78KB - Virtual size: 77KB

DATA
Size: 4KB - Virtual size: 4KB

BSS
Size: - Virtual size: 2KB

.idata
Size: 2KB - Virtual size: 1KB

.edata
Size: 1024B - Virtual size: 970B

.reloc
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 5KB - Virtual size: 5KB

.text
Size: 145KB - Virtual size: 144KB

text
Size: 512B - Virtual size: 119B

.rdata
Size: 20KB - Virtual size: 20KB

.data
Size: 26KB - Virtual size: 150KB

.tls
Size: 512B - Virtual size: 28B

.reloc
Size: 8KB - Virtual size: 8KB

.text
Size: 11KB - Virtual size: 10KB

.rsrc
Size: 193KB - Virtual size: 193KB