gh0strat | a1046bbbfeeaca93ee7dcefc895651efd89f9a9cbc0c89b7d12765b22f9d1dc7

Sharing

Copy URL Twitter E-mail

General

Target

a1046bbbfeeaca93ee7dcefc895651efd89f9a9cbc0c89b7d12765b22f9d1dc7
Size

114KB
MD5

5a369e80698b7b527ef9dd9d16b2c760
SHA1

03aa4fe23227bc881525f869102fcb455fa51af2
SHA256

a1046bbbfeeaca93ee7dcefc895651efd89f9a9cbc0c89b7d12765b22f9d1dc7
SHA512

b0141590b9e2af1cbd8753478e98738250318fdbd281ac6bfa7e7b2f2c689421315c3aa5bedf039abd9380705b5adfd1c185c7d443e4931a0a50d88636e8f09d
SSDEEP

3072:U05V/POWc+URTX/rUrKAslVcdBWcuZlnjI/vT69:l/GWc+UV4rzmydBWcSlnjV

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

a1046bbbfeeaca93ee7dcefc895651efd89f9a9cbc0c89b7d12765b22f9d1dc7
.dll windows x86

be54a667d8bf72963e4b2acaffb65caa

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2b:22:25:2b:47:8a:1a:91:a8:bc:2b:8b:7f:2d:96:ea
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

09/05/2007, 00:00

Not After

08/06/2010, 23:59

Subject

CN=ESET\, spol. s r.o.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=ESET\, spol. s r.o.,L=Bratislava,ST=Slovakia,C=SK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

36:45:86:52:c8:dd:42:38:cf:6e:5a:c3:ff:48:e0:54:8b:f5:26:9d
Signer

Actual PE Digest

36:45:86:52:c8:dd:42:38:cf:6e:5a:c3:ff:48:e0:54:8b:f5:26:9d

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=ESET\, spol. s r.o.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=ESET\, spol. s r.o.,L=Bratislava,ST=Slovakia,C=SK

24/10/2008, 18:50
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetTempPathA
MultiByteToWideChar
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
GetVersionExA
ReleaseMutex
OpenEventA
SetErrorMode
SetUnhandledExceptionFilter
lstrcmpiA
GetCurrentThreadId
OpenMutexA
CreateMutexA
OutputDebugStringA
GetCurrentProcess
MoveFileA
RemoveDirectoryA
LocalReAlloc
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
GetLastError
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
ReadFile
lstrlenA
LocalAlloc
LocalFree
GetModuleHandleA
GetProcAddress
CreateProcessA
GetPrivateProfileStringA
GetPrivateProfileIntA
CreateDirectoryA
GetModuleFileNameA
CreateFileMappingA
MapViewOfFile
GetFileSize
UnmapViewOfFile
DeleteFileA
lstrcpyA
Sleep
CancelIo
InterlockedExchange
ResetEvent
CreateFileA
WriteFile
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
GetTickCount
CreateEventA
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
GetDiskFreeSpaceA
GetSystemDirectoryA
HeapAlloc
GetProcessHeap
HeapFree
GetLocalTime
LoadLibraryA
FreeLibrary
GetFileAttributesA
CloseHandle
WaitForMultipleObjects

user32

PostQuitMessage
EndPaint
BeginPaint
DefWindowProcA
UpdateWindow
ShowWindow
CreateWindowExA
RegisterClassA
LoadCursorA
LoadIconA
DestroyCursor
BlockInput
SystemParametersInfoA
CharNextA
keybd_event
GetForegroundWindow
GetAsyncKeyState
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetWindowTextA
MapVirtualKeyA
GetKeyboardState
DispatchMessageA
CloseWindow
IsWindow
SetCapture
TranslateMessage
GetMessageA
ExitWindowsEx
SendMessageA
wsprintfA
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
GetCursorPos

gdi32

DeleteDC
DeleteObject
CreateCompatibleDC
BitBlt
SelectObject
GetStockObject
TextOutA
CreateCompatibleBitmap
GetDIBits
CreateDIBSection

advapi32

CryptAcquireContextA
CryptReleaseContext
CryptDestroyKey
CryptDecrypt
CryptDeriveKey
CryptHashData
CryptCreateHash
CryptVerifySignatureA
CryptImportKey
CryptGetHashParam
RegCloseKey
RegQueryValueA
RegOpenKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegEnumValueA
RegEnumKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegCreateKeyExA
RegOpenKeyA
RegisterServiceCtrlHandlerA
SetServiceStatus
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
CryptDestroyHash

shell32

SHGetFileInfoA

ole32

CoCreateInstance
CoUninitialize
CoInitialize

shlwapi

PathFindExtensionA

msvcrt

_strnicmp
strncat
_strlwr
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
vsprintf
_beginthreadex
strncpy
wcstombs
strchr
fopen
fclose
fread
strrchr
malloc
free
atoi
srand
rand
_splitpath
_snprintf
time
gmtime
_local_unwind2
_except_handler3
sprintf
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z

winmm

waveInUnprepareHeader
waveInReset
waveInStop
waveInClose
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveOutPrepareHeader
waveOutReset
waveOutUnprepareHeader
waveOutClose
waveOutWrite
waveOutOpen
waveOutGetNumDevs

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

ws2_32

WSAStartup
WSACleanup
gethostname
getsockname
inet_ntoa
send
closesocket
socket
gethostbyname
htons
connect
setsockopt
WSAIoctl
recv
select
WSAGetLastError

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

msvfw32

ICCompressorFree
ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICSeqCompressFrameEnd
ICOpen
ICClose

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

Exports

Exports

ServiceMain
Startup

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

be54a667d8bf72963e4b2acaffb65caa

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

2b:22:25:2b:47:8a:1a:91:a8:bc:2b:8b:7f:2d:96:eaCertificate

Extended Key Usages

Key Usages

36:45:86:52:c8:dd:42:38:cf:6e:5a:c3:ff:48:e0:54:8b:f5:26:9dSigner

Signature Validations

Verification

24/10/2008, 18:50 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

shlwapi

msvcrt

winmm

wininet

ws2_32

msvcp60

avicap32

msvfw32

wtsapi32

userenv

Exports

Exports

Sections

.text Size: 73KB - Virtual size: 73KB

.rdata Size: 14KB - Virtual size: 14KB

.data Size: 12KB - Virtual size: 13KB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 5KB - Virtual size: 5KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

2b:22:25:2b:47:8a:1a:91:a8:bc:2b:8b:7f:2d:96:ea
Certificate

36:45:86:52:c8:dd:42:38:cf:6e:5a:c3:ff:48:e0:54:8b:f5:26:9d
Signer

24/10/2008, 18:50
Valid: false

.text
Size: 73KB - Virtual size: 73KB

.rdata
Size: 14KB - Virtual size: 14KB

.data
Size: 12KB - Virtual size: 13KB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 5KB - Virtual size: 5KB