gh0strat | 60214cea8f0d072e472e974f2aa50b5bacde0a5216cb9a212f1418eedc196c50

Sharing

Copy URL Twitter E-mail

General

Target

60214cea8f0d072e472e974f2aa50b5bacde0a5216cb9a212f1418eedc196c50
Size

83KB
MD5

4b322acea131fa336d036dbd38118ee1
SHA1

6f5e023aa836d0a7ab6d8a977645a4fa9eb10ebd
SHA256

60214cea8f0d072e472e974f2aa50b5bacde0a5216cb9a212f1418eedc196c50
SHA512

2fa9f9262dd8a5403a21c9453e3fd40edd4ecd088bd5994fb0db2c08de3b612290321dccff5540219d549d6cd8158de996c1d6fd696e21af333ad07daadd27f6
SSDEEP

1536:aNB3VefVN6ddX8eL2iLdoHnjcwQuf+J0hCqFGdDXv:aNB3fdtWqOHj7Qo+J0hCmGdDXv

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

60214cea8f0d072e472e974f2aa50b5bacde0a5216cb9a212f1418eedc196c50
.exe windows x86

81c484090e31d6f65d0545a50320b556

Code Sign

61:06:86:2c:00:00:00:00:00:02
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2011-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)2011,O=VeriSign Inc.,C=US

Not Before

17/11/2011, 05:06

Not After

17/11/2511, 05:01

Subject

CN=360.cn,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=360.cn,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageKeyEncipherment
KeyUsageDataEncipherment

e4:73:a4:dd:04:c1:ee:1b:2b:53:67:57:d4:68:b7:46:6b:9a:81:3b
Signer

Actual PE Digest

e4:73:a4:dd:04:c1:ee:1b:2b:53:67:57:d4:68:b7:46:6b:9a:81:3b

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=360.cn,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=360.cn,L=Beijing,ST=Beijing,C=CN

06/10/2022, 18:34
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateEventA
MultiByteToWideChar
WriteFile
GetVersionExA
GetTickCount
GetLastError
MoveFileA
DeleteFileA
CopyFileA
CreateThread
GetStartupInfoA
GetModuleHandleA
CreateProcessA
CreateFileA
LocalFree
lstrlenA
Sleep
CancelIo
InterlockedExchange
SetEvent
lstrcpyA
WaitForSingleObject
GetProcAddress
CloseHandle
LoadLibraryA
SetErrorMode

user32

wsprintfA

advapi32

RegDeleteKeyA
RegDeleteValueA
OpenProcessToken
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
RegQueryValueExA

msvcrt

??2@YAPAXI@Z
free
malloc
_except_handler3
strrchr
rename
vsprintf
mbstowcs
wcslen
wcstombs
atoi
wcscpy
strstr
calloc
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_ftol
ceil
memmove
_CxxThrowException
__CxxFrameHandler
??3@YAXPAX@Z
_strrev
_beginthreadex

ws2_32

connect
setsockopt
htons
WSAStartup
gethostname
getsockname
gethostbyname
socket
WSACleanup
ntohs
send
select
closesocket
WSAIoctl
recv

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

wininet

InternetOpenUrlA
InternetCloseHandle
InternetOpenA

Sections

.text
Size: 56KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

81c484090e31d6f65d0545a50320b556

Code Sign

61:06:86:2c:00:00:00:00:00:02Certificate

Extended Key Usages

Key Usages

e4:73:a4:dd:04:c1:ee:1b:2b:53:67:57:d4:68:b7:46:6b:9a:81:3bSigner

Signature Validations

Verification

06/10/2022, 18:34 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

advapi32

msvcrt

ws2_32

msvcp60

wininet

Sections

.text Size: 56KB - Virtual size: 53KB

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 8KB - Virtual size: 11KB

.rsrc Size: 4KB - Virtual size: 2KB

61:06:86:2c:00:00:00:00:00:02
Certificate

e4:73:a4:dd:04:c1:ee:1b:2b:53:67:57:d4:68:b7:46:6b:9a:81:3b
Signer

06/10/2022, 18:34
Valid: false

.text
Size: 56KB - Virtual size: 53KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 8KB - Virtual size: 11KB

.rsrc
Size: 4KB - Virtual size: 2KB