gh0strat | 1422a4e735a4ee87c48a5d86707a969e05c96338c1baeb8b8c914ccc6162a4b7

Sharing

Copy URL Twitter E-mail

General

Target

1422a4e735a4ee87c48a5d86707a969e05c96338c1baeb8b8c914ccc6162a4b7
Size

751KB
MD5

697239b7e474b921e146bbb38da90b80
SHA1

ff59f4696182cef6b2092dd859b358663b75a0dc
SHA256

1422a4e735a4ee87c48a5d86707a969e05c96338c1baeb8b8c914ccc6162a4b7
SHA512

4f5f6426813911cda10937a703a518fa65d9674501cef24c25e3c04f7d095b4260d24287a3d8bc004ae23c48dd686db8b0e3614379381aaf9e63f6692aab99c9
SSDEEP

12288:EMvQkNf7vUog4M4KJ+gZHndGhgA0QfKolA5pqCERrhRzSn:EMvQkNDvjg3+gZHdFCLC0Coren

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

1422a4e735a4ee87c48a5d86707a969e05c96338c1baeb8b8c914ccc6162a4b7
.exe windows x86

e02f62991001217455ed7a36e36d76f8

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:0f:78:4d:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/08/2007, 00:23

Not After

23/02/2009, 00:33

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:14:2c:a7:00:00:00:00:00:06
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/06/2007, 23:54

Not After

13/06/2012, 00:04

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:27F4-D440-54F3,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:14:2c:a7:00:00:00:00:00:06
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/06/2007, 23:54

Not After

13/06/2012, 00:04

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:27F4-D440-54F3,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1a:1e:15:ef:aa:e6:44:2e:38:40:fc:f8:da:30:67:62:04:aa:dd:ad
Signer

Actual PE Digest

1a:1e:15:ef:aa:e6:44:2e:38:40:fc:f8:da:30:67:62:04:aa:dd:ad

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

07/11/2007, 16:00
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

MoveFileA
GetModuleHandleA
GetProcessHeap
GetProcAddress
lstrcatA
GetCurrentProcessId
FreeLibrary
CreateThread
Sleep
MultiByteToWideChar
lstrlenA
CloseHandle
GetCurrentProcess
OpenProcess
HeapAlloc
GlobalUnlock
GetLocalTime
GetTickCount
LoadLibraryA
GetStartupInfoA

user32

GetCursorInfo
LoadCursorA
DestroyCursor
EmptyClipboard
OpenClipboard
CloseClipboard
GetSystemMetrics
SetRect
ReleaseDC
SendMessageA
CreateWindowExA
IsWindow

gdi32

GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegCreateKeyA
StartServiceA

shell32

ShellExecuteA
SHGetSpecialFolderPathA

msvcrt

_strupr
_strnicmp
??2@YAPAXI@Z
__CxxFrameHandler
_CxxThrowException
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
rand
sprintf
strncpy
strchr
malloc
_except_handler3
_iob
atoi
wcscpy
strncmp
free
_errno
exit
strncat
atol
_beginthreadex
calloc
??1type_info@@UAE@XZ
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_strcmpi

ws2_32

closesocket
sendto
gethostname
__WSAFDIsSet
listen
accept
getpeername
bind
getsockname
inet_addr
send
socket
gethostbyname
htons
connect
WSAIoctl
select
recv
WSACleanup
WSAStartup
ntohs
inet_ntoa
htonl
setsockopt

wininet

InternetOpenA
InternetOpenUrlA
InternetCloseHandle

msvcp60

?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

netapi32

NetUserAdd
NetLocalGroupAddMembers

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICOpen
ICSendMessage
ICSeqCompressFrameStart

Exports

Exports

aabbccdd
daxuewuli
eeffgghh
gaoshu
gongchengshuxue
iijjkkmm

Sections

.text
Size: 128KB - Virtual size: 127KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 172KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e02f62991001217455ed7a36e36d76f8

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:0f:78:4d:00:00:00:00:00:03Certificate

Extended Key Usages

Key Usages

61:14:2c:a7:00:00:00:00:00:06Certificate

Extended Key Usages

Key Usages

61:14:2c:a7:00:00:00:00:00:06Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

1a:1e:15:ef:aa:e6:44:2e:38:40:fc:f8:da:30:67:62:04:aa:dd:adSigner

Signature Validations

Verification

07/11/2007, 16:00 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

wininet

msvcp60

netapi32

msvfw32

Exports

Exports

Sections

.text Size: 128KB - Virtual size: 127KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 16KB - Virtual size: 17KB

.rsrc Size: 172KB - Virtual size: 172KB

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:0f:78:4d:00:00:00:00:00:03
Certificate

61:14:2c:a7:00:00:00:00:00:06
Certificate

61:14:2c:a7:00:00:00:00:00:06
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

1a:1e:15:ef:aa:e6:44:2e:38:40:fc:f8:da:30:67:62:04:aa:dd:ad
Signer

07/11/2007, 16:00
Valid: false

.text
Size: 128KB - Virtual size: 127KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 16KB - Virtual size: 17KB

.rsrc
Size: 172KB - Virtual size: 172KB