gh0strat | 351d1611c6b5be74f55cde8104e44be6dfea166f61bfb68ae93d910c056a4331

Sharing

Copy URL Twitter E-mail

General

Target

351d1611c6b5be74f55cde8104e44be6dfea166f61bfb68ae93d910c056a4331
Size

148KB
MD5

68b1673c5b4f9627e7169bf91737b880
SHA1

26f02526ddc63808e0a74236c3a8deb093b8083d
SHA256

351d1611c6b5be74f55cde8104e44be6dfea166f61bfb68ae93d910c056a4331
SHA512

45d1a3ef68477bfb67d9c76e12d6f6db73c0b170505952045bc8fa1166c94ed96210d76a5a826f1fe5c72f4ad4de87c2a9a79f27cb331a2d2a9406f1de76b25d
SSDEEP

3072:fVQyC9cAWuylrFvnfucWkn6lqSrZDJZy7WjI:WyNuyHGunO1pi7C

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

351d1611c6b5be74f55cde8104e44be6dfea166f61bfb68ae93d910c056a4331
.exe windows x86

44c41e56b898b82960a4508b271336f0

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
CreateProcessA
DeleteFileA
GetSystemDirectoryA
ExitProcess
Process32Next
lstrcmpiA
GetWindowsDirectoryA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
WaitForMultipleObjects
LocalSize
TerminateProcess
OpenProcess
GetCurrentThreadId
GetSystemInfo
GetComputerNameA
CreateDirectoryA
SetFileAttributesA
MoveFileExA
DefineDosDeviceA
GetModuleFileNameA
InterlockedDecrement
GetLastError
OpenEventA
SetErrorMode
GetCurrentProcess
GetModuleHandleA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
GetProcessHeap
HeapAlloc
GetCurrentProcessId
GetProcAddress
GetLocalTime
GetTickCount
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
CreateEventA
Sleep
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
LoadLibraryA
FreeLibrary
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
Process32First

user32

OpenInputDesktop
GetThreadDesktop
PostMessageA
CreateWindowExA
TranslateMessage
IsWindow
CloseWindow
GetWindowThreadProcessId
ExitWindowsEx
GetCursorPos
GetCursorInfo
DispatchMessageA
SetThreadDesktop
CloseDesktop
GetUserObjectInformationA
GetMessageA
wsprintfA
CharNextA
GetWindowTextA
EnumWindows
MessageBoxA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
LoadCursorA
DestroyCursor
SendMessageA
SystemParametersInfoA
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDesktopWindow
ReleaseDC
IsWindowVisible

advapi32

DeleteService
RegQueryValueExA
RegOpenKeyExA
IsValidSid
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
LsaFreeMemory
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
RegCreateKeyExA
CloseServiceHandle
OpenSCManagerA
LookupAccountSidA
OpenProcessToken
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegCloseKey

shell32

ShellExecuteA
SHGetFileInfoA
SHGetSpecialFolderPathA

ole32

CLSIDFromString
CLSIDFromProgID
CoCreateInstance
CoInitialize
OleRun
CoUninitialize

oleaut32

SysAllocString
SysFreeString
VariantClear
GetErrorInfo

winmm

waveOutClose
waveOutWrite
waveInStop
waveOutOpen
waveOutGetNumDevs
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveInReset
waveInUnprepareHeader
waveInClose
waveOutReset
waveOutUnprepareHeader
waveOutPrepareHeader

msvcrt

_strnicmp
putchar
_strnset
_onexit
__dllonexit
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
??1type_info@@UAE@XZ
calloc
_beginthreadex
_errno
strncmp
atoi
strrchr
_except_handler3
free
malloc
strchr
strncpy
sprintf
puts
_strrev
rand
strstr
_ftol
ceil
memmove
_CxxThrowException
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z

ws2_32

recvfrom
__WSAFDIsSet
bind
WSACleanup
WSAStartup
getsockname
setsockopt
inet_ntoa
htonl
WSASocketA
sendto
inet_addr
send
select
recv
closesocket
socket
gethostbyname
htons
connect
WSAIoctl

wininet

InternetOpenA
InternetOpenUrlA

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

psapi

EnumProcessModules
GetModuleFileNameExA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Sections

.text
Size: 92KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

44c41e56b898b82960a4508b271336f0

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

winmm

msvcrt

ws2_32

wininet

msvcp60

psapi

wtsapi32

Sections

.text Size: 92KB - Virtual size: 92KB

.rdata Size: 16KB - Virtual size: 16KB

.data Size: 16KB - Virtual size: 16KB

.rsrc Size: 20KB - Virtual size: 20KB

.text
Size: 92KB - Virtual size: 92KB

.rdata
Size: 16KB - Virtual size: 16KB

.data
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 20KB - Virtual size: 20KB