gh0strat | 914f43b4e422c9e762039f5f9cca47e1da677be612bc2fad1bb3804866c283c2

Sharing

Copy URL Twitter E-mail

General

Target

914f43b4e422c9e762039f5f9cca47e1da677be612bc2fad1bb3804866c283c2
Size

208KB
MD5

63806ac440a082c104f32343fec6fb3b
SHA1

77f96a98ccc45ed36e53c6344534e3ca326b1bd3
SHA256

914f43b4e422c9e762039f5f9cca47e1da677be612bc2fad1bb3804866c283c2
SHA512

ef4e4c3612efa40a939e6cb4716c7953da2eea4c2ff5ad6c2cc9bb7d0ea5d160924a398ec1bed70a9059a18699c4f00666185ad50167269170d6b1c93d2605c5
SSDEEP

3072:cw8Simq8IYND9AfiXsR3C58aOn/MV8S1gkmY886ylSCPROM6lrfQMHNE+nAW95/u:H8xLTC8zRoOM6lrfhfu

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

914f43b4e422c9e762039f5f9cca47e1da677be612bc2fad1bb3804866c283c2
.exe windows x86

51985c4041f48174cfc4a60213e90794

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalUnlock
GlobalLock
GlobalSize
GetSystemDirectoryA
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
OpenEventA
FreeResource
SizeofResource
LoadResource
lstrcmpiA
UnmapViewOfFile
FlushViewOfFile
DeviceIoControl
MapViewOfFile
CreateFileMappingA
FormatMessageA
ReleaseMutex
SetErrorMode
ExitProcess
CreateMutexA
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
LockResource
CopyFileA
LocalSize
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentThreadId
GetModuleHandleA
GetModuleFileNameA
GetCurrentProcess
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
CreateProcessA
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
Sleep
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
OutputDebugStringA
WinExec
GlobalAlloc
GlobalFree
ExitThread
GetTickCount
OpenProcess
LoadLibraryA
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
FindResourceA

user32

CloseClipboard
SetClipboardData
DispatchMessageA
SetCursorPos
WindowFromPoint
SetCapture
keybd_event
TranslateMessage
SendMessageA
SystemParametersInfoA
BlockInput
DestroyCursor
LoadCursorA
wsprintfA
mouse_event
GetMessageA
CharNextA
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
ExitWindowsEx
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
GetWindowThreadProcessId
IsWindowVisible
GetWindowTextA
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
CreateWindowExA
CloseWindow
IsWindow
MapVirtualKeyA

gdi32

DeleteDC
GetDIBits
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap
DeleteObject
BitBlt

advapi32

CloseServiceHandle
RegOpenKeyExA
RegQueryValueA
RegCloseKey
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegSetValueExA
RegCreateKeyA
RegQueryValueExA
RegOpenKeyA
RegCreateKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegFlushKey
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA

shell32

SHGetFileInfoA

msvcrt

_strnicmp
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
_onexit
__dllonexit
calloc
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
memmove
ceil
_ftol
strstr
free
malloc
_except_handler3
strrchr
rand
atoi
srand
time
printf
exit
strncat
strchr
sprintf
localtime
strncmp
_beginthreadex
_strcmpi

winmm

waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInStop
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInUnprepareHeader
waveInClose
waveOutReset
waveInOpen
waveInReset
waveOutClose
waveOutUnprepareHeader

ws2_32

WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
ntohs
recv
closesocket
select
send
inet_addr
sendto
htonl
WSASocketA
inet_ntoa
ntohl
recvfrom
WSAGetLastError
gethostname
getsockname
WSAStartup

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

mfc42

ord939
ord537
ord6648
ord2764
ord4129
ord926
ord924
ord922
ord535
ord858
ord6663
ord540
ord800
ord6877
ord2818
ord4278
ord860

iphlpapi

GetNetworkParams

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd

psapi

GetModuleFileNameExA
EnumProcessModules

Sections

.text
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 104KB - Virtual size: 101KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

51985c4041f48174cfc4a60213e90794

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

winmm

ws2_32

msvcp60

mfc42

iphlpapi

wininet

avicap32

msvfw32

psapi

Sections

.text Size: 76KB - Virtual size: 75KB

.rdata Size: 16KB - Virtual size: 13KB

.data Size: 8KB - Virtual size: 19KB

.rsrc Size: 104KB - Virtual size: 101KB

.text
Size: 76KB - Virtual size: 75KB

.rdata
Size: 16KB - Virtual size: 13KB

.data
Size: 8KB - Virtual size: 19KB

.rsrc
Size: 104KB - Virtual size: 101KB