gh0strat | 513c536fc1bb5b0603ae40ce5b4785a20492ba74efafa8aec84af1fe29e159e1

Sharing

Copy URL Twitter E-mail

General

Target

513c536fc1bb5b0603ae40ce5b4785a20492ba74efafa8aec84af1fe29e159e1
Size

133KB
MD5

934f70658c746cd3ae736d118a54c8b0
SHA1

974da53034ea73cf05f4ab2f58db1a836e4d55ec
SHA256

513c536fc1bb5b0603ae40ce5b4785a20492ba74efafa8aec84af1fe29e159e1
SHA512

b491d86481bf759c25714930a30b625a8175dc9b041a84c8f99646123026b9686371398f385c63fee4182970bfc2451bf8c20e7c9a21a380fcc7cd9e48fe26d0
SSDEEP

3072:aZl9oVX916ZaSbDmQVXKEqwfOTAQ6hZZUUJ4js:aoVX9EZaSvtx5OcL1bJ4o

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

513c536fc1bb5b0603ae40ce5b4785a20492ba74efafa8aec84af1fe29e159e1
.dll windows x86

b3effce6625711735bfde96be72cc14b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

SHDeleteKeyA

msvcrt

_strcmpi
_strnicmp
_adjust_fdiv
_initterm
_onexit
__dllonexit
??1type_info@@UAE@XZ
calloc
_beginthreadex
wcstombs
sprintf
realloc
strncat
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
strtok
printf
time
memmove
ceil
_ftol
strstr
_CxxThrowException
strchr
malloc
free
_except_handler3
strrchr
strncpy
atoi
strncmp
_errno
rand
srand

winmm

waveInStop
waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInReset
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInUnprepareHeader
waveInClose
waveOutReset
waveOutUnprepareHeader
waveInOpen
waveOutClose

ws2_32

gethostbyname
socket
ntohs
recv
htons
select
send
inet_ntoa
inet_addr
connect
setsockopt
WSAIoctl
WSACleanup
WSAStartup
getsockname
bind
getpeername
accept
listen
sendto
recvfrom
__WSAFDIsSet
WSASocketA
gethostname
htonl
WSAGetLastError
closesocket

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

mfc42

ord2764
ord4129
ord6648
ord537
ord926
ord924
ord922
ord535
ord858
ord6663
ord860
ord4278
ord2818
ord939
ord6877
ord800
ord540

kernel32

GetLocalTime
GetCurrentThreadId
lstrcmpiA
CreateToolhelp32Snapshot
Process32First
Process32Next
LocalSize
FreeConsole
SetUnhandledExceptionFilter
SetErrorMode
OpenEventA
GetLogicalDrives
GetDriveTypeA
GlobalMemoryStatusEx
WaitForMultipleObjects
PeekNamedPipe
TerminateProcess
DisconnectNamedPipe
CreatePipe
GetStartupInfoA
GlobalSize
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
UnmapViewOfFile
HeapAlloc
CreateFileMappingA
MapViewOfFile
GetProcessHeap
HeapFree
RaiseException
MoveFileExA
GetWindowsDirectoryA
GetTickCount
ExitThread
OpenProcess
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
GetCurrentProcess
GetSystemDirectoryA
SetLastError
GetModuleFileNameA
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateEventA
CloseHandle
TerminateThread
WaitForSingleObject
SetEvent
ResumeThread
CreateThread
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
GetProcAddress
LoadLibraryA
ResetEvent
lstrcpyA
InterlockedExchange
CancelIo
Sleep
lstrlenA
GetPrivateProfileSectionNamesA
lstrcatA
FreeLibrary
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
CreateProcessA
GetDiskFreeSpaceExA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA

user32

GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
GetWindowThreadProcessId
IsWindowVisible
EnumWindows
CloseDesktop
SetThreadDesktop
GetDC
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
CreateWindowExA
CloseWindow
IsWindow
DispatchMessageA
TranslateMessage
GetMessageA
wsprintfA
CharNextA
MessageBoxA
ExitWindowsEx
GetWindowTextA
GetActiveWindow
GetKeyNameTextA
CallNextHookEx
SetWindowsHookExA
UnhookWindowsHookEx
LoadCursorA
DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
OpenInputDesktop

gdi32

DeleteObject
CreateCompatibleDC
CreateDIBSection
DeleteDC
SelectObject
CreateCompatibleBitmap
GetDIBits
BitBlt

advapi32

RegQueryValueExA
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
GetTokenInformation
LookupAccountSidA
SetServiceStatus
RegisterServiceCtrlHandlerA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
InitializeSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
FreeSid
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenEventLogA
ClearEventLogA
CloseEventLog
RegCreateKeyExA
RegOpenKeyA
LsaFreeMemory
RegCreateKeyA
RegSetValueExA
OpenSCManagerA
OpenServiceA
QueryServiceStatus
ControlService
DeleteService
CloseServiceHandle
RegOpenKeyExA
RegQueryValueA
RegCloseKey
IsValidSid

shell32

SHGetFileInfoA
SHGetSpecialFolderPathA

imm32

ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle

msvfw32

ICClose
ICSeqCompressFrameEnd
ICCompressorFree
ICSeqCompressFrame
ICSendMessage
ICOpen
ICSeqCompressFrameStart

psapi

EnumProcessModules
GetModuleFileNameExA

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA

Exports

Exports

ServiceMain

Sections

.text
Size: 124KB - Virtual size: 124KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b3effce6625711735bfde96be72cc14b

Headers

File Characteristics

Imports

shlwapi

msvcrt

winmm

ws2_32

msvcp60

mfc42

kernel32

user32

gdi32

advapi32

shell32

imm32

wininet

msvfw32

psapi

wtsapi32

Exports

Exports

Sections

.text Size: 124KB - Virtual size: 124KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 124KB - Virtual size: 124KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 7KB - Virtual size: 7KB