gh0strat | 920cf61bec3e3fa8b9d08ee0b68030c0671ff87e3d6a6d6f870c0b342961e4f0

Sharing

Copy URL Twitter E-mail

General

Target

920cf61bec3e3fa8b9d08ee0b68030c0671ff87e3d6a6d6f870c0b342961e4f0
Size

138KB
MD5

0e61cb4ab153f18dc9d2fa3790c109b4
SHA1

03a0889e9df0757526d80212d657bb485e4ec728
SHA256

920cf61bec3e3fa8b9d08ee0b68030c0671ff87e3d6a6d6f870c0b342961e4f0
SHA512

dc5d00437f0f4a106b34e1683c2bf243f8e24ef84aecb79a2fca9d069be49970120c52a723c9172d9fccd075fe8897787b0bf00881674c7a6070b60325283194
SSDEEP

3072:QCyIutGSX7OlclXqVpMDJiBmMjsCz5FXV8x5AQlJ/F3:QvGqlXQYio9Cz5FX85AQl3

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

920cf61bec3e3fa8b9d08ee0b68030c0671ff87e3d6a6d6f870c0b342961e4f0
.exe windows x86

172825305a1d506de21487f54597f540

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GlobalMemoryStatus
GetSystemInfo
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
ReleaseMutex
SetErrorMode
ExitProcess
CreateMutexA
CopyFileA
GetTempPathA
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
GetCurrentThreadId
GetStartupInfoA
GetModuleHandleA
GetCurrentProcess
GetVersionExA
WinExec
MoveFileA
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetProcAddress
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
lstrcatA
lstrlenA
Sleep
CancelIo
lstrcpyA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetModuleFileNameA
OutputDebugStringA
InterlockedExchange
MultiByteToWideChar
GetTickCount
WriteFile
ExitThread
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
TerminateThread
CloseHandle
LoadLibraryA
OpenEventA

user32

TranslateMessage
DispatchMessageA
CloseClipboard
SetCursorPos
WindowFromPoint
SetCapture
LoadCursorA
ExitWindowsEx
CharNextA
wsprintfA
GetMessageA
MapVirtualKeyA
SendMessageA
SystemParametersInfoA
BlockInput
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
CreateWindowExA
CloseWindow
IsWindow
DestroyCursor

gdi32

GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

RegQueryValueA
RegCloseKey
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegSetValueExA
RegQueryValueExA
RegOpenKeyA
RegCreateKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
RegOpenKeyExA

shell32

SHGetFileInfoA

msvcrt

_strrev
_strnicmp
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
calloc
??2@YAPAXI@Z
__CxxFrameHandler
_CxxThrowException
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
strchr
malloc
free
_except_handler3
strrchr
strncpy
atoi
rand
srand
time
printf
strncmp
_errno
wcscpy
exit
strncat
_beginthreadex
_strcmpi

winmm

waveInStop
waveOutWrite
waveInStart
waveInAddBuffer
waveInUnprepareHeader
waveInOpen
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveOutClose
waveOutUnprepareHeader
waveOutReset
waveInPrepareHeader
waveInReset
waveInClose

ws2_32

htons
connect
gethostbyname
WSAIoctl
WSACleanup
WSAStartup
socket
ntohs
recv
closesocket
select
send
sendto
htonl
inet_addr
WSASocketA
inet_ntoa
gethostname
getsockname
bind
getpeername
accept
listen
recvfrom
__WSAFDIsSet
WSAGetLastError
setsockopt

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

mfc42

ord6877
ord2764
ord4129
ord6648
ord537
ord926
ord924
ord922
ord535
ord858
ord6663
ord800
ord2818
ord540
ord939
ord4278
ord860

netapi32

NetUserAdd
NetLocalGroupAddMembers

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd

Sections

.text
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

172825305a1d506de21487f54597f540

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

winmm

ws2_32

msvcp60

mfc42

netapi32

wininet

msvfw32

Sections

.text Size: 96KB - Virtual size: 96KB

.rdata Size: 14KB - Virtual size: 14KB

.data Size: 10KB - Virtual size: 14KB

.rsrc Size: 16KB - Virtual size: 15KB

.text
Size: 96KB - Virtual size: 96KB

.rdata
Size: 14KB - Virtual size: 14KB

.data
Size: 10KB - Virtual size: 14KB

.rsrc
Size: 16KB - Virtual size: 15KB