Behavioral task
behavioral1
Sample
fdf1aaf2a54aad67b1a8bffad4309016b05c4479cae2b7f7ae744eff0e441f8f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fdf1aaf2a54aad67b1a8bffad4309016b05c4479cae2b7f7ae744eff0e441f8f.exe
Resource
win10v2004-20220812-en
General
-
Target
fdf1aaf2a54aad67b1a8bffad4309016b05c4479cae2b7f7ae744eff0e441f8f
-
Size
160KB
-
MD5
5926ae9f75eacf9d5d0b25aba3f95860
-
SHA1
0fc8e7369d1a0bb9ad29e9d08adae010d3ecd0eb
-
SHA256
fdf1aaf2a54aad67b1a8bffad4309016b05c4479cae2b7f7ae744eff0e441f8f
-
SHA512
64559cffbe9c46fa28d6bba5c5b79e2e63c2e49764c37998442632a696f350a84cdd75160b878e47b005fa9ec6d109fc8b89471fea6072b2f016fbe9ad03d139
-
SSDEEP
3072:iVoKjo0Lu1RkdywyOxxf5QWOqXhfuaMOXFh2YyO+oCftWO:iVhFyWf5hRuD4FhYOxCfN
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule sample family_gh0strat -
Gh0strat family
Files
-
fdf1aaf2a54aad67b1a8bffad4309016b05c4479cae2b7f7ae744eff0e441f8f.exe windows x86
78a0791f7a4959fd1952b77b6543d816
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
lstrlenA
GetPrivateProfileSectionNamesA
GetWindowsDirectoryA
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
DeleteFileA
ExitProcess
Process32Next
GetCurrentProcessId
Process32First
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
WaitForMultipleObjects
LocalSize
OpenProcess
GetCurrentThreadId
GetSystemInfo
GetComputerNameA
CreateDirectoryA
SetFileAttributesA
MoveFileExA
DefineDosDeviceA
GetModuleFileNameA
InterlockedDecrement
GetLastError
OpenEventA
SetErrorMode
GetCurrentProcess
lstrlenW
GetModuleHandleA
CreateProcessA
TerminateProcess
ExitThread
GetSystemDirectoryA
lstrcatA
GetProcAddress
GetLocalTime
GetTickCount
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
Sleep
EnterCriticalSection
CreateEventA
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
LoadLibraryA
FreeLibrary
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
lstrcmpiA
user32
SetThreadDesktop
GetUserObjectInformationA
GetThreadDesktop
PostMessageA
TranslateMessage
CreateWindowExA
IsWindow
CloseWindow
ExitWindowsEx
GetCursorPos
GetCursorInfo
DispatchMessageA
CloseDesktop
IsWindowVisible
OpenInputDesktop
GetMessageA
wsprintfA
CharNextA
GetWindowTextA
EnumWindows
MessageBoxA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
LoadCursorA
DestroyCursor
SendMessageA
SystemParametersInfoA
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDesktopWindow
ReleaseDC
GetWindowThreadProcessId
advapi32
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyExA
IsValidSid
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
LsaFreeMemory
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
CloseServiceHandle
DeleteService
OpenSCManagerA
RegEnumKeyExA
RegQueryInfoKeyA
RegEnumValueA
RegDeleteValueA
RegDeleteKeyA
RegRestoreKeyA
LookupAccountSidA
OpenProcessToken
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegCloseKey
shell32
ShellExecuteA
SHGetFileInfoA
SHGetSpecialFolderPathA
ole32
CLSIDFromString
CLSIDFromProgID
CoCreateInstance
OleRun
CoInitialize
CoUninitialize
oleaut32
SysAllocString
SysFreeString
VariantClear
GetErrorInfo
VariantInit
CreateErrorInfo
VariantChangeType
SetErrorInfo
winmm
waveOutClose
waveOutWrite
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveInReset
waveInUnprepareHeader
waveInClose
waveOutReset
waveOutUnprepareHeader
waveInStop
msvcrt
_strnicmp
rand
_strnset
_onexit
__dllonexit
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
??1type_info@@UAE@XZ
calloc
_beginthreadex
_errno
strncmp
atoi
strrchr
_except_handler3
free
malloc
strchr
strncpy
sprintf
puts
putchar
_strrev
strstr
_ftol
ceil
memmove
_CxxThrowException
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
ws2_32
recvfrom
__WSAFDIsSet
bind
WSACleanup
WSAStartup
setsockopt
getsockname
inet_ntoa
htonl
WSASocketA
sendto
inet_addr
send
select
recv
closesocket
ntohs
socket
gethostbyname
htons
connect
WSAIoctl
wininet
InternetOpenA
InternetOpenUrlA
msvcp60
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
psapi
EnumProcessModules
GetModuleFileNameExA
Sections
.text Size: 104KB - Virtual size: 102KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 16KB - Virtual size: 13KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 12KB - Virtual size: 15KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 24KB - Virtual size: 24KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ