gh0strat | 557a0960f376fc379ad4745ebdbe9592620e318d95322973e8b8e70e960ce1f4

Sharing

Copy URL

Twitter E-mail

General

Target

557a0960f376fc379ad4745ebdbe9592620e318d95322973e8b8e70e960ce1f4
Size

104KB
MD5

62eacbc4c2be22255a2646f2cbf37680
SHA1

505f2ed118e878d56789d8e219f1b1b1f5568287
SHA256

557a0960f376fc379ad4745ebdbe9592620e318d95322973e8b8e70e960ce1f4
SHA512

b36a4725505e717170e607aeb07532718dfe334c899fd3da23758a4138b9ba371f2894d94cb5c223f4caf258d3563fb15c8f0c69e4be1859696dc437e96c4b3c
SSDEEP

1536:+p4QFg0pEhZ13ryiyM+FcgtrfR3+P6MEVTzFWzdbh:C4Q20p2j3rxb+FDt7R3+SMSTzFYbh

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

557a0960f376fc379ad4745ebdbe9592620e318d95322973e8b8e70e960ce1f4
.exe windows x86

7826892cdecc1285e837c12d2efd9c0c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetTickCount
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GetLocalTime
GetDriveTypeA
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
OpenEventA
SetErrorMode
OpenProcess
LocalSize
GetCurrentThreadId
GetStartupInfoA
GetModuleHandleA
GetSystemDirectoryA
lstrcatA
CreateToolhelp32Snapshot
Process32First
Process32Next
TerminateThread
DeleteCriticalSection
CreateThread
GetCurrentProcess
lstrlenA
WinExec
CreateProcessA
GetLastError
GetModuleFileNameA
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
VirtualFree
FreeLibrary
DeleteFileA
CancelIo
InterlockedExchange
SetEvent
lstrcpyA
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
LoadLibraryA
GetProcAddress
Sleep
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
VirtualAlloc
GetDiskFreeSpaceExA

user32

SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
WindowFromPoint
MapVirtualKeyA
ReleaseDC
GetDC
GetDesktopWindow
SetRect
GetCursorInfo
GetCursorPos
SetProcessWindowStation
LoadCursorA
SetCapture
CloseWindow
CreateWindowExA
IsWindow
CharNextA
wsprintfA
SendMessageA
GetKeyState
GetAsyncKeyState
GetForegroundWindow
EnumWindows
GetWindowTextA
MessageBoxA
DestroyCursor
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetProcessWindowStation
OpenWindowStationA

gdi32

DeleteDC
CreateCompatibleDC
DeleteObject
GetDIBits
CreateCompatibleBitmap
BitBlt
SelectObject
CreateDIBSection

advapi32

RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegSetValueExA
RegQueryValueA
RegOpenKeyExA
CloseEventLog
ClearEventLogA
RegCreateKeyExA
AdjustTokenPrivileges
OpenProcessToken
RegEnumValueA
RegEnumKeyExA

shell32

SHGetFileInfoA
ShellExecuteA

msvcrt

_strnicmp
_strupr
_acmdln
_strrev
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
exit
_XcptFilter
_exit
??1type_info@@UAE@XZ
calloc
_beginthreadex
strncat
strchr
_snprintf
_errno
atoi
strncmp
strrchr
strncpy
sprintf
_except_handler3
ceil
_ftol
strstr
memmove
??3@YAXPAX@Z
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException
free
malloc

ws2_32

__WSAFDIsSet
recvfrom
sendto
listen
accept
getpeername
bind
getsockname
inet_ntoa
ioctlsocket
send
select
closesocket
recv
ntohs
socket
gethostbyname
htons
WSAStartup
WSACleanup
WSAIoctl
setsockopt
gethostname
connect
inet_addr

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z

wininet

InternetGetConnectedState

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameEnd
ICCompressorFree
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose

Exports

Exports

Dni
Wang

Sections

.text
Size: 72KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7826892cdecc1285e837c12d2efd9c0c

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

msvcp60

wininet

msvfw32

Exports

Exports

Sections

.text Size: 72KB - Virtual size: 70KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 12KB - Virtual size: 12KB

.rsrc Size: 4KB - Virtual size: 864B

.text
Size: 72KB - Virtual size: 70KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 4KB - Virtual size: 864B