gh0strat | d8bcf8c6e834436354358d2b1a6a454be6e432e9bc68a860eebfb5df225579fe

Sharing

Copy URL Twitter E-mail

General

Target

d8bcf8c6e834436354358d2b1a6a454be6e432e9bc68a860eebfb5df225579fe
Size

184KB
MD5

772e4dc62baa9613221a3e9f6fb3d860
SHA1

d4ee3dd545e57dcca3577d2a2c4ca514bca09ecb
SHA256

d8bcf8c6e834436354358d2b1a6a454be6e432e9bc68a860eebfb5df225579fe
SHA512

2b103d77418fba75190fc3101de2dd2a8535c108919f71205a2f76557f3b39335ed65c3ebd9ed9fd8ef430a4835896c7c45d76fe14fe4eb62106940698ce3d67
SSDEEP

3072:cVjKxo0LueM4GzwNx+yJWDS/vf4aMOb8QYyOl5lG/22YbzGBNTP2AqXt:cVGo42yB/4Dw8COLM7sgNy9

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

d8bcf8c6e834436354358d2b1a6a454be6e432e9bc68a860eebfb5df225579fe
.exe windows x86

78a0791f7a4959fd1952b77b6543d816

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrlenA
GetPrivateProfileSectionNamesA
GetWindowsDirectoryA
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
DeleteFileA
ExitProcess
Process32Next
GetCurrentProcessId
Process32First
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
WaitForMultipleObjects
LocalSize
OpenProcess
GetCurrentThreadId
GetSystemInfo
GetComputerNameA
CreateDirectoryA
SetFileAttributesA
MoveFileExA
DefineDosDeviceA
GetModuleFileNameA
InterlockedDecrement
GetLastError
OpenEventA
SetErrorMode
GetCurrentProcess
lstrlenW
GetModuleHandleA
CreateProcessA
TerminateProcess
ExitThread
GetSystemDirectoryA
lstrcatA
GetProcAddress
GetLocalTime
GetTickCount
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
Sleep
EnterCriticalSection
CreateEventA
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
LoadLibraryA
FreeLibrary
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
lstrcmpiA

user32

SetThreadDesktop
GetUserObjectInformationA
GetThreadDesktop
PostMessageA
TranslateMessage
CreateWindowExA
IsWindow
CloseWindow
ExitWindowsEx
GetCursorPos
GetCursorInfo
DispatchMessageA
CloseDesktop
IsWindowVisible
OpenInputDesktop
GetMessageA
wsprintfA
CharNextA
GetWindowTextA
EnumWindows
MessageBoxA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
LoadCursorA
DestroyCursor
SendMessageA
SystemParametersInfoA
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDesktopWindow
ReleaseDC
GetWindowThreadProcessId

advapi32

RegCreateKeyExA
RegQueryValueExA
RegOpenKeyExA
IsValidSid
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
LsaFreeMemory
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
CloseServiceHandle
DeleteService
OpenSCManagerA
RegEnumKeyExA
RegQueryInfoKeyA
RegEnumValueA
RegDeleteValueA
RegDeleteKeyA
RegRestoreKeyA
LookupAccountSidA
OpenProcessToken
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegCloseKey

shell32

ShellExecuteA
SHGetFileInfoA
SHGetSpecialFolderPathA

ole32

CLSIDFromString
CLSIDFromProgID
CoCreateInstance
OleRun
CoInitialize
CoUninitialize

oleaut32

SysAllocString
SysFreeString
VariantClear
GetErrorInfo
VariantInit
CreateErrorInfo
VariantChangeType
SetErrorInfo

winmm

waveOutClose
waveOutWrite
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveInReset
waveInUnprepareHeader
waveInClose
waveOutReset
waveOutUnprepareHeader
waveInStop

msvcrt

_strnicmp
rand
_strnset
_onexit
__dllonexit
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
??1type_info@@UAE@XZ
calloc
_beginthreadex
_errno
strncmp
atoi
strrchr
_except_handler3
free
malloc
strchr
strncpy
sprintf
puts
putchar
_strrev
strstr
_ftol
ceil
memmove
_CxxThrowException
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z

ws2_32

recvfrom
__WSAFDIsSet
bind
WSACleanup
WSAStartup
setsockopt
getsockname
inet_ntoa
htonl
WSASocketA
sendto
inet_addr
send
select
recv
closesocket
ntohs
socket
gethostbyname
htons
connect
WSAIoctl

wininet

InternetOpenA
InternetOpenUrlA

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

psapi

EnumProcessModules
GetModuleFileNameExA

Sections

.text
Size: 104KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

78a0791f7a4959fd1952b77b6543d816

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

winmm

msvcrt

ws2_32

wininet

msvcp60

psapi

Sections

.text Size: 104KB - Virtual size: 102KB

.rdata Size: 16KB - Virtual size: 13KB

.data Size: 12KB - Virtual size: 15KB

.rsrc Size: 48KB - Virtual size: 48KB

.text
Size: 104KB - Virtual size: 102KB

.rdata
Size: 16KB - Virtual size: 13KB

.data
Size: 12KB - Virtual size: 15KB

.rsrc
Size: 48KB - Virtual size: 48KB