gh0strat | e9814f94a08d6b264177911fd41975ddaf5dc9fb78bfe954d61a4bd754ca8713

Sharing

Copy URL Twitter E-mail

General

Target

e9814f94a08d6b264177911fd41975ddaf5dc9fb78bfe954d61a4bd754ca8713
Size

57KB
MD5

71e054a5ad06453468b5233c536463b0
SHA1

3b5f00c8ca42111ae0070b8374db556d20f910ac
SHA256

e9814f94a08d6b264177911fd41975ddaf5dc9fb78bfe954d61a4bd754ca8713
SHA512

daf7bf0832db89dde30af8883ee5f25b94b6b716fc213807dd511ca296e843085510cdaccb094a88c35ccffa5aef74b68ae5759fd6847f50287fcda2aeea0199
SSDEEP

768:KeDecxKlSd5IlmljI9cXr9mRu0aWeurnAh73+FO6m3TRE7E5Dedza0Vz4Z/jf5:KeaRSd5Y8qRFjQ56m3TRALJBCZ/N

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

e9814f94a08d6b264177911fd41975ddaf5dc9fb78bfe954d61a4bd754ca8713
.exe windows x86

f583398e8c25033e0e79f967f9746377

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:27:81:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/10/2008, 21:24

Not After

22/01/2010, 21:34

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:49:7c:ed:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:55

Not After

16/09/2011, 02:05

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:10D8-5847-CBF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1c:6b:40:27:52:4d:59:7a:07:79:70:04:68:82:18:00:17:9f:b4:ae
Signer

Actual PE Digest

1c:6b:40:27:52:4d:59:7a:07:79:70:04:68:82:18:00:17:9f:b4:ae

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

04/02/2009, 03:39
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
memmove
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
malloc
realloc
free
_except_handler3
sprintf
_access
_beginthreadex
__dllonexit
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_onexit
??3@YAXPAX@Z

kernel32

RaiseException
GetDiskFreeSpaceExA
LocalAlloc
GetStartupInfoA
GetModuleHandleA
CreateToolhelp32Snapshot
Process32First
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
lstrcpyA
Sleep
SetEvent
InterlockedExchange
CancelIo
WriteFile
SetFilePointer
CreateFileA
GetFileSize
ReadFile
GetWindowsDirectoryA
GetFileAttributesA
CreateProcessA
lstrlenA
TerminateThread
lstrcatA
GetTickCount
GetLastError
GetCurrentProcess
HeapAlloc
GetProcessHeap
VirtualProtect
GetProcAddress
LoadLibraryA
IsBadReadPtr
HeapFree
FreeLibrary
LocalFree
GetDriveTypeA
GlobalMemoryStatusEx
GetSystemInfo
GetVersionExA
ExitProcess
GetModuleFileNameA
DeleteFileA
DuplicateHandle
OpenProcess
CreateDirectoryA
GetLocalTime
OpenEventA
WinExec
ExpandEnvironmentStringsA
GetCurrentThreadId
CopyFileA
lstrcmpiA
Process32Next

user32

GetThreadDesktop
GetUserObjectInformationA
SetThreadDesktop
OpenInputDesktop
PostThreadMessageA
GetInputState
GetMessageA
OpenDesktopA
CloseDesktop
wsprintfA
ExitWindowsEx

advapi32

CloseServiceHandle
LookupPrivilegeValueA
OpenProcessToken
OpenSCManagerA
CreateServiceA
LockServiceDatabase
ChangeServiceConfig2A
UnlockServiceDatabase
OpenServiceA
StartServiceA
AdjustTokenPrivileges
StartServiceCtrlDispatcherA
RegOpenKeyA
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey

shell32

ShellExecuteA

wininet

InternetOpenUrlA
InternetCloseHandle
InternetOpenA

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 868B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f583398e8c25033e0e79f967f9746377

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:06:27:81:00:00:00:00:00:08Certificate

Extended Key Usages

Key Usages

61:49:7c:ed:00:00:00:00:00:05Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

1c:6b:40:27:52:4d:59:7a:07:79:70:04:68:82:18:00:17:9f:b4:aeSigner

Signature Validations

Verification

04/02/2009, 03:39 Valid: false

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

advapi32

shell32

wininet

Sections

.text Size: 28KB - Virtual size: 27KB

.rdata Size: 4KB - Virtual size: 868B

.data Size: 4KB - Virtual size: 3KB

.idata Size: 4KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 1KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:06:27:81:00:00:00:00:00:08
Certificate

61:49:7c:ed:00:00:00:00:00:05
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

1c:6b:40:27:52:4d:59:7a:07:79:70:04:68:82:18:00:17:9f:b4:ae
Signer

04/02/2009, 03:39
Valid: false

.text
Size: 28KB - Virtual size: 27KB

.rdata
Size: 4KB - Virtual size: 868B

.data
Size: 4KB - Virtual size: 3KB

.idata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 1KB