gh0strat | e56b7941dd25c5eee10ff7b5e8a371e1b21704db7f974f3ac140a061480e9ff5

Sharing

Copy URL Twitter E-mail

General

Target

e56b7941dd25c5eee10ff7b5e8a371e1b21704db7f974f3ac140a061480e9ff5
Size

98KB
MD5

84ba55aaa0383398234dd15d405252d0
SHA1

252204413ea570b0ac8ad0f59e72a72112690045
SHA256

e56b7941dd25c5eee10ff7b5e8a371e1b21704db7f974f3ac140a061480e9ff5
SHA512

46fe1b27de6df30c75df312aa361d19c96780c33385bc46bd4c6bb0477a27b908b6ea75d78eea0beccedae0e424498f0f46451a51736aead8735e5c45ee9f0b7
SSDEEP

3072:6lI5XB/t++DTw2M/4MnUI1yQo0t9SuKvBRk0lYBPk8Cu1B:B5XBl5IP/7nUI1tl91qg0l7aB

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

e56b7941dd25c5eee10ff7b5e8a371e1b21704db7f974f3ac140a061480e9ff5
.exe windows x86

f8ed9ad7223201eaa54aadf82fed74c1

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:0f:78:4d:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/08/2007, 00:23

Not After

23/02/2009, 00:33

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:47:52:ba:00:00:00:00:00:04
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:53

Not After

16/09/2011, 02:03

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:D8A9-CFCC-579C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:47:52:ba:00:00:00:00:00:04
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:53

Not After

16/09/2011, 02:03

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:D8A9-CFCC-579C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f5:a6:49:84:d7:c2:be:38:ad:c9:ab:f7:20:65:a3:d6:c7:1a:9f:5b
Signer

Actual PE Digest

f5:a6:49:84:d7:c2:be:38:ad:c9:ab:f7:20:65:a3:d6:c7:1a:9f:5b

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

03/07/2008, 16:14
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ReleaseMutex
CreateMutexA
SetUnhandledExceptionFilter
CreateToolhelp32Snapshot
Process32First
Process32Next
Sleep
SetFilePointer
ReadFile
lstrcmpA
GetFileAttributesA
SetLastError
lstrcmpiA
lstrcpyA
HeapFree
GetTempPathA
FindResourceA
LoadResource
CreateFileA
SizeofResource
WriteFile
lstrlenA
CloseHandle
FreeResource
MoveFileA
DeleteFileA
GetSystemDirectoryA
MultiByteToWideChar
WideCharToMultiByte
ExitProcess
lstrcatA
GetLastError
GetProcessHeap
HeapAlloc
GetTickCount
GetModuleHandleA
GetProcAddress
GetModuleFileNameA
GetCommandLineA

user32

GetForegroundWindow
GetInputState
wsprintfA

advapi32

InitializeAcl
CreateServiceA
StartServiceA
GetUserNameA
OpenSCManagerA
CloseServiceHandle
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
AllocateAndInitializeSid
RegSetKeySecurity
RegCloseKey
FreeSid
LookupAccountNameA
GetFileSecurityA
InitializeSecurityDescriptor
GetSecurityDescriptorDacl
GetAclInformation
GetLengthSid
GetAce
EqualSid
AddAce
AddAccessAllowedAce
SetSecurityDescriptorDacl
GetSecurityDescriptorControl
SetFileSecurityA
ChangeServiceConfigA
ControlService
QueryServiceStatus
OpenServiceA

msvcrt

??2@YAPAXI@Z
??1type_info@@UAE@XZ
_except_handler3
realloc
malloc
strlen
strchr
memset
_strcmpi
memcpy
__CxxFrameHandler
??3@YAXPAX@Z
strstr

netapi32

NetUserGetLocalGroups
NetApiBufferFree

ws2_32

closesocket

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 584B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f8ed9ad7223201eaa54aadf82fed74c1

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:0f:78:4d:00:00:00:00:00:03Certificate

Extended Key Usages

Key Usages

61:47:52:ba:00:00:00:00:00:04Certificate

Extended Key Usages

Key Usages

61:47:52:ba:00:00:00:00:00:04Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

f5:a6:49:84:d7:c2:be:38:ad:c9:ab:f7:20:65:a3:d6:c7:1a:9f:5bSigner

Signature Validations

Verification

03/07/2008, 16:14 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

advapi32

msvcrt

netapi32

ws2_32

Sections

.text Size: 6KB - Virtual size: 5KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 1024B - Virtual size: 584B

.rsrc Size: 78KB - Virtual size: 78KB

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:0f:78:4d:00:00:00:00:00:03
Certificate

61:47:52:ba:00:00:00:00:00:04
Certificate

61:47:52:ba:00:00:00:00:00:04
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

f5:a6:49:84:d7:c2:be:38:ad:c9:ab:f7:20:65:a3:d6:c7:1a:9f:5b
Signer

03/07/2008, 16:14
Valid: false

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 1024B - Virtual size: 584B

.rsrc
Size: 78KB - Virtual size: 78KB