gh0strat | b1aeaa6f35d8aba2caa9064e5cab0754d7d7e798214cfbb2a51c79daec237bc3

Sharing

Copy URL Twitter E-mail

General

Target

b1aeaa6f35d8aba2caa9064e5cab0754d7d7e798214cfbb2a51c79daec237bc3
Size

85KB
MD5

6984a0b2c151f1d9cc1fce2312b994c0
SHA1

ecfecf9834c60cb9dc045c2d03fd4424411d28f0
SHA256

b1aeaa6f35d8aba2caa9064e5cab0754d7d7e798214cfbb2a51c79daec237bc3
SHA512

f8d1da4fb8fc82275ce2afc09a8be57870292065a6d6ae876624a1e0b399d017aae0bf5ca915a88d19e84c128ac950166cb79c45ec75359de09954e28798836a
SSDEEP

1536:/wTiY/dQf5IFJm8vA12DdjxVpbjQ5cpC4fESK47wuLFcs64qZnvi:/wTiY/dQfL4A1QdNjQ5CCiESK48kFcsz

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

b1aeaa6f35d8aba2caa9064e5cab0754d7d7e798214cfbb2a51c79daec237bc3
.dll windows x86

cbc31316c7f4e5ce8f37009bfffc6220

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
lstrcmpiA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentThreadId
LocalSize
GetTickCount
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetProcAddress
LoadLibraryA
GetVersionExA
WaitForMultipleObjects
PeekNamedPipe
TerminateThread
TerminateProcess
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
CreateEventA
CloseHandle
ResetEvent
lstrcpyA
WaitForSingleObject
SetEvent
InterlockedExchange
CancelIo
Sleep
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
lstrlenA
lstrcatA
GetDriveTypeA
FreeLibrary
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
GetTempPathA
GetModuleFileNameA
DisconnectNamedPipe
CreatePipe
GetStartupInfoA
CreateProcessA
GetProcessHeap
HeapAlloc
HeapFree
OpenProcess
GetLocalTime
VirtualAllocEx
GetCurrentProcess
GetSystemDirectoryA
SetLastError

user32

GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
WindowFromPoint
MapVirtualKeyA
ReleaseDC
SendMessageA
SystemParametersInfoA
BlockInput
DestroyCursor
LoadCursorA
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
CharNextA
wsprintfA
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
CloseDesktop
GetCursorPos
keybd_event
GetCursorInfo
SetCapture
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
GetKeyNameTextA
GetActiveWindow
EnumWindows
GetWindowTextA
IsWindowVisible
GetWindowThreadProcessId
PostMessageA
OpenDesktopA

gdi32

GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

RegisterServiceCtrlHandlerA
SetServiceStatus
RegCreateKeyExA
RegSetValueExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
FreeSid
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenEventLogA
ClearEventLogA
CloseEventLog
RegOpenKeyA
RegQueryValueExA
OpenServiceA
QueryServiceStatus
ControlService
DeleteService
RegOpenKeyExA
RegQueryValueA
RegCloseKey

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_except_handler3
strrchr
strncpy
strncat
strchr
atoi
wcstombs
malloc
calloc
??1type_info@@UAE@XZ
_initterm
_adjust_fdiv
free
??2@YAPAXI@Z
_CxxThrowException
__CxxFrameHandler
strstr
_ftol
ceil
memmove
_strcmpi
_beginthreadex
??3@YAXPAX@Z
_strnset
_strnicmp
realloc

ws2_32

getsockname
gethostname
send
WSAStartup
WSAIoctl
closesocket
recv
select
ntohs
socket
gethostbyname
htons
connect

msvcp60

?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB

wininet

InternetOpenA
InternetCloseHandle
InternetOpenUrlA

avicap32

capGetDriverDescriptionA

psapi

EnumProcessModules
GetModuleFileNameExA

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

Exports

Exports

CH
MainService
ServiceMain
atginextern
austfFu1
austfFu2
austfFu3
austfFu4
lch
xjm

Sections

.text
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cbc31316c7f4e5ce8f37009bfffc6220

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

ws2_32

msvcp60

wininet

avicap32

psapi

imm32

Exports

Exports

Sections

.text Size: 78KB - Virtual size: 78KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 78KB - Virtual size: 78KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB