gh0strat | c7bf85a993d856fc14c39cda937dbd9fdcdeda0bae8149aa09c623c039829ece

Sharing

Copy URL Twitter E-mail

General

Target

c7bf85a993d856fc14c39cda937dbd9fdcdeda0bae8149aa09c623c039829ece
Size

238KB
MD5

0703dcc32021be6477a5e01107a6460b
SHA1

b9169095a0c20564bdd8e0cab4d9ad496a596ef9
SHA256

c7bf85a993d856fc14c39cda937dbd9fdcdeda0bae8149aa09c623c039829ece
SHA512

f33f89c1a33473c0528976fb57f393c4fc6aae4b666b7924caccbfa015f303f849d9f723b6e303bb0c431c94857299ac848d93416076776537992a96b592e969
SSDEEP

3072:v0V0g2XAc5eVcB9RdrRmY/+zzfgGWjpitlmlUVeJWSpU+EXXVTfQ8ulV:J1eVcB33miSz4B6l/VeJWHlXW8ul

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

c7bf85a993d856fc14c39cda937dbd9fdcdeda0bae8149aa09c623c039829ece
.exe windows x86

c904df9d737c14e77fa10c4e0e6b5bab

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapAlloc
GetProcessHeap
DeleteFileA
CreateDirectoryA
GetFileAttributesA
lstrcpyA
lstrlenA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
GetFileSize
ReadFile
SetFilePointer
MoveFileA
lstrcatA
CreateProcessA
ExitProcess
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
HeapFree
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
GetModuleHandleA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
WaitForMultipleObjects
LocalSize
TerminateProcess
OpenProcess
GetCurrentThreadId
GlobalMemoryStatus
GetSystemInfo
GetComputerNameA
GetVersionExA
OutputDebugStringA
OpenEventA
SetErrorMode
GetCurrentProcessId
GetCurrentProcess
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
CopyFileA
LCMapStringW
LCMapStringA
SetStdHandle
FlushFileBuffers
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
InterlockedIncrement
InterlockedDecrement
IsBadCodePtr
IsBadReadPtr
WriteFile
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
WideCharToMultiByte
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
HeapSize
IsBadWritePtr
HeapReAlloc
HeapCreate
HeapDestroy
SetUnhandledExceptionFilter
GetLocalTime
GetTickCount
CancelIo
InterlockedExchange
ResetEvent
GetLastError
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
Sleep
TerminateThread
CloseHandle
FreeLibrary
LoadLibraryA
CreateMutexA
GetProcAddress
InitializeCriticalSection
SetLastError
TlsAlloc
GetVersion
GetCommandLineA
ExitThread
TlsGetValue
TlsSetValue
RaiseException
RtlUnwind

user32

TranslateMessage
GetMessageA
CharNextA
wsprintfA
GetWindowTextA
MessageBoxA
LoadCursorA
DispatchMessageA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
BlockInput
GetWindowThreadProcessId
CloseWindow
IsWindow
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
IsWindowVisible
GetCursorInfo
ExitWindowsEx
GetCursorPos
DestroyCursor
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData

advapi32

OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
InitializeSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
FreeSid
RegCreateKeyExA
RegSetValueExA
RegOpenKeyA
RegDeleteValueA
OpenEventLogA
ClearEventLogA
CloseEventLog
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegCreateKeyA

shell32

SHGetSpecialFolderPathA

ws2_32

WSAStartup
WSACleanup
WSAIoctl
setsockopt
htons
gethostbyname
socket
select
recv
getsockname
htonl
WSASocketA
sendto
connect
inet_addr
send
closesocket

Sections

.text
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 81KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c904df9d737c14e77fa10c4e0e6b5bab

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ws2_32

Sections

.text Size: 112KB - Virtual size: 111KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 31KB - Virtual size: 39KB

.rsrc Size: 81KB - Virtual size: 84KB

.text
Size: 112KB - Virtual size: 111KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 31KB - Virtual size: 39KB

.rsrc
Size: 81KB - Virtual size: 84KB