gh0strat | 392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

Sharing

Copy URL

Twitter E-mail

General

Target

392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626
Size

179KB
MD5

11875740398942ee2cc75d1f7805c1c1
SHA1

5bd449ee9f2b31fcd523ab868dc8fbd236d003c8
SHA256

392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626
SHA512

7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55
SSDEEP

3072:ESJUC/BLNNB7jGVMc7AlhKhAMIN9Z8scPCgJtt:ESJNNNrG58hm09JcCgB

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626
.exe windows x86

345f65ae03b420bd43056a6758e042f0

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2a:02:bb:47:a2:e8:33:a4:67:32:db:16:c5:23:58:d9
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

23-05-2007 00:00

Not After

06-06-2009 23:59

Subject

CN=Avira GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Avira GmbH,L=Tettnang,ST=Baden-Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateEventA
CloseHandle
TerminateThread
GetProcAddress
LoadLibraryA
SetEvent
ResumeThread
CreateThread
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
EnterCriticalSection
LeaveCriticalSection
VirtualAlloc
ResetEvent
InterlockedExchange
CancelIo
Sleep
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
lstrcpyA
lstrlenA
CreateProcessA
lstrcatA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
GetStartupInfoA
GetWindowsDirectoryA
WinExec
GetVersionExA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetSystemDirectoryA
GetLocalTime
HeapFree
HeapAlloc
LocalSize
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetTickCount
GlobalMemoryStatus
GetSystemInfo
OpenEventA
SetErrorMode
CreateMutexA
CopyFileA
GetSystemTime
GetCurrentThreadId
SetFileTime
LocalFileTimeToFileTime
SystemTimeToFileTime
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
OpenProcess
GetCurrentProcess
lstrcmpiA
SetStdHandle
LCMapStringW
LCMapStringA
RtlUnwind
RaiseException
ExitProcess
TlsSetValue
TlsGetValue
ExitThread
GetModuleHandleA
GetCommandLineA
GetVersion
TlsAlloc
SetLastError
SetUnhandledExceptionFilter
GetModuleFileNameA
GetEnvironmentVariableA
HeapDestroy
HeapCreate
HeapReAlloc
IsBadWritePtr
HeapSize
SetHandleCount
GetStdHandle
GetFileType
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
IsBadReadPtr
IsBadCodePtr
InterlockedDecrement
InterlockedIncrement
FlushFileBuffers
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
GetCPInfo
GetACP
GetOEMCP
FreeLibrary

msvfw32

ICClose
ICOpen
ICSendMessage
ICSeqCompressFrameStart
ICSeqCompressFrame
ICCompressorFree
ICSeqCompressFrameEnd

msvcrt

??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
_strupr

Sections

.text
Size: 172KB - Virtual size: 172KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

345f65ae03b420bd43056a6758e042f0

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

2a:02:bb:47:a2:e8:33:a4:67:32:db:16:c5:23:58:d9Certificate

Extended Key Usages

Key Usages

Signer

Headers

File Characteristics

Imports

kernel32

msvfw32

msvcrt

Sections

.text Size: 172KB - Virtual size: 172KB

.rsrc Size: 512B - Virtual size: 16B

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

2a:02:bb:47:a2:e8:33:a4:67:32:db:16:c5:23:58:d9
Certificate

.text
Size: 172KB - Virtual size: 172KB

.rsrc
Size: 512B - Virtual size: 16B