gh0strat | 1d23b270c4e289939250fd6f9f57479e9a3ae67cce9dbb7667215c12c4d52140

Sharing

Copy URL

Twitter E-mail

General

Target

1d23b270c4e289939250fd6f9f57479e9a3ae67cce9dbb7667215c12c4d52140
Size

208KB
MD5

51add2274815848efd8fefebbd260d60
SHA1

4b6aaff82d339f6f5e12450b1966606b36fee18d
SHA256

1d23b270c4e289939250fd6f9f57479e9a3ae67cce9dbb7667215c12c4d52140
SHA512

28786d404a5a6b0c7cb762411e9ca1fb8362cdffee9fd2c1eecd06f3d59f6606bfc7e59609fc457fb290adcca56c2874b1d33ae04770a101cecd15d5fb25a531
SSDEEP

3072:Uw8Simq8IYND9AfiXsR3C58aOn/MV8S1gkmY886ylSCPROMwlrfQMHNE+nAW95/c:f8xLTC8zRoOMwlrfhfc

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

1d23b270c4e289939250fd6f9f57479e9a3ae67cce9dbb7667215c12c4d52140
.exe windows x86

51985c4041f48174cfc4a60213e90794

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalUnlock
GlobalLock
GlobalSize
GetSystemDirectoryA
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
OpenEventA
FreeResource
SizeofResource
LoadResource
lstrcmpiA
UnmapViewOfFile
FlushViewOfFile
DeviceIoControl
MapViewOfFile
CreateFileMappingA
FormatMessageA
ReleaseMutex
SetErrorMode
ExitProcess
CreateMutexA
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
LockResource
CopyFileA
LocalSize
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentThreadId
GetModuleHandleA
GetModuleFileNameA
GetCurrentProcess
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
CreateProcessA
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
Sleep
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
OutputDebugStringA
WinExec
GlobalAlloc
GlobalFree
ExitThread
GetTickCount
OpenProcess
LoadLibraryA
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
FindResourceA

user32

CloseClipboard
SetClipboardData
DispatchMessageA
SetCursorPos
WindowFromPoint
SetCapture
keybd_event
TranslateMessage
SendMessageA
SystemParametersInfoA
BlockInput
DestroyCursor
LoadCursorA
wsprintfA
mouse_event
GetMessageA
CharNextA
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
ExitWindowsEx
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
GetWindowThreadProcessId
IsWindowVisible
GetWindowTextA
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
CreateWindowExA
CloseWindow
IsWindow
MapVirtualKeyA

gdi32

DeleteDC
GetDIBits
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap
DeleteObject
BitBlt

advapi32

CloseServiceHandle
RegOpenKeyExA
RegQueryValueA
RegCloseKey
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegSetValueExA
RegCreateKeyA
RegQueryValueExA
RegOpenKeyA
RegCreateKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegFlushKey
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA

shell32

SHGetFileInfoA

msvcrt

_strnicmp
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
_onexit
__dllonexit
calloc
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
memmove
ceil
_ftol
strstr
free
malloc
_except_handler3
strrchr
rand
atoi
srand
time
printf
exit
strncat
strchr
sprintf
localtime
strncmp
_beginthreadex
_strcmpi

winmm

waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInStop
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInUnprepareHeader
waveInClose
waveOutReset
waveInOpen
waveInReset
waveOutClose
waveOutUnprepareHeader

ws2_32

WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
ntohs
recv
closesocket
select
send
inet_addr
sendto
htonl
WSASocketA
inet_ntoa
ntohl
recvfrom
WSAGetLastError
gethostname
getsockname
WSAStartup

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

mfc42

ord939
ord537
ord6648
ord2764
ord4129
ord926
ord924
ord922
ord535
ord858
ord6663
ord540
ord800
ord6877
ord2818
ord4278
ord860

iphlpapi

GetNetworkParams

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd

psapi

GetModuleFileNameExA
EnumProcessModules

Sections

.text
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 104KB - Virtual size: 101KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

51985c4041f48174cfc4a60213e90794

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

winmm

ws2_32

msvcp60

mfc42

iphlpapi

wininet

avicap32

msvfw32

psapi

Sections

.text Size: 76KB - Virtual size: 75KB

.rdata Size: 16KB - Virtual size: 13KB

.data Size: 8KB - Virtual size: 19KB

.rsrc Size: 104KB - Virtual size: 101KB

.text
Size: 76KB - Virtual size: 75KB

.rdata
Size: 16KB - Virtual size: 13KB

.data
Size: 8KB - Virtual size: 19KB

.rsrc
Size: 104KB - Virtual size: 101KB