gh0strat | ddf4185f3dcb2cf118e3fb31c93f473c25c2ced7e1bb9e78d7d4d7a55d905308

Sharing

Copy URL Twitter E-mail

General

Target

ddf4185f3dcb2cf118e3fb31c93f473c25c2ced7e1bb9e78d7d4d7a55d905308
Size

561KB
MD5

56887058791ec8d8c811d80a69a3cf07
SHA1

474670e48a1dc5d27aaed95b6b356190ed15b2e9
SHA256

ddf4185f3dcb2cf118e3fb31c93f473c25c2ced7e1bb9e78d7d4d7a55d905308
SHA512

4c9dd77cd7cc82e98260b64f09d9a432d70559c24363e0e2559398ab2beacf2739c35f0d4cb7ccb151114f04ae5582a5b6a3e4de798f755cc160e7cc7a2a386d
SSDEEP

12288:wz6le0pfGH4WTo7fbb2YJgFkH4WTo7UQH4WTo7:wiQYWmfbiYJFYWmlYWm

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
sample	family_gh0strat
static1/unpack001/WinDDOS.exe	family_gh0strat

Gh0strat family
gh0strat

Files

ddf4185f3dcb2cf118e3fb31c93f473c25c2ced7e1bb9e78d7d4d7a55d905308
.tar
WinDDOS.exe
.exe windows x86

d044ef0a7f950c7965b472f45f8522df

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalUnlock
GlobalLock
GlobalSize
GlobalMemoryStatus
GetSystemInfo
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
ReleaseMutex
lstrcatA
SetErrorMode
ExitProcess
CreateMutexA
CopyFileA
LocalSize
TerminateProcess
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
GetStartupInfoA
GetModuleHandleA
GetModuleFileNameA
OutputDebugStringA
GetCurrentProcess
CreateProcessA
GetVersionExA
GetSystemDirectoryA
WinExec
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
Sleep
CancelIo
InterlockedExchange
SetEvent
InitializeCriticalSection
TerminateThread
GetTickCount
CreateThread
ExitThread
OpenProcess
lstrcpyA
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
OpenEventA

user32

BlockInput
SendMessageA
PostMessageA
CharNextA
wsprintfA
DestroyCursor
LoadCursorA
SystemParametersInfoA
ExitWindowsEx
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
EnumWindows
GetWindowTextA
IsWindowVisible
GetWindowThreadProcessId
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
GetCursorPos
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
GetClipboardData
OpenClipboard
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo

gdi32

DeleteDC
DeleteObject
GetDIBits
CreateDIBSection
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
BitBlt

advapi32

RegSetValueExA
RegCloseKey
OpenSCManagerA
OpenServiceA
CloseServiceHandle
RegQueryValueExA
RegOpenKeyA
RegCreateKeyExA
RegOpenKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA

shell32

SHGetFileInfoA

msvcrt

__set_app_type
_strnicmp
_controlfp
_strcmpi
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
??3@YAXPAX@Z
memmove
ceil
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
free
malloc
_except_handler3
atoi
rand
srand
time
printf
exit
strncat
strchr
strncmp
_beginthreadex
calloc
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm

ws2_32

htonl
sendto
inet_addr
send
select
closesocket
recv
ntohs
WSASocketA
inet_ntoa
WSAGetLastError
gethostname
getsockname
socket
gethostbyname
htons
connect
setsockopt
WSAStartup
WSACleanup
WSAIoctl

msvcp60

?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

mfc42

ord939
ord2818
ord537
ord6648
ord2764
ord4129
ord926
ord924
ord922
ord535
ord858
ord6663
ord860
ord4278
ord540
ord6877
ord800

psapi

EnumProcessModules
GetModuleFileNameExA

Sections

.text
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 324B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

�?�
Size: 97KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
server.exe
.exe windows x86

29637e11e194dc0202df96c219ccfc7d

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapAlloc
GetProcessHeap
VirtualAlloc
VirtualProtect
VirtualFree
GetProcAddress
LoadLibraryA
IsBadReadPtr
HeapFree
FreeLibrary
ExitProcess
GetFileAttributesA
GetWindowsDirectoryA
GetVersionExA
GetStringTypeA
LCMapStringW
HeapReAlloc
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
GetModuleFileNameA
GetEnvironmentVariableA
HeapDestroy
HeapCreate
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
WriteFile
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
GetStringTypeW

user32

wsprintfA

Sections

.text
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 161KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

��
Size: 97KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

d044ef0a7f950c7965b472f45f8522df

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

msvcp60

mfc42

psapi

Sections

.text Size: 63KB - Virtual size: 62KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 8KB - Virtual size: 11KB

.rsrc Size: 512B - Virtual size: 324B

�?� Size: 97KB - Virtual size: 100KB

29637e11e194dc0202df96c219ccfc7d

Headers

File Characteristics

Imports

kernel32

user32

Sections

.text Size: 17KB - Virtual size: 16KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 161KB - Virtual size: 162KB

.rsrc Size: 2KB - Virtual size: 1KB

�� Size: 97KB - Virtual size: 100KB

.text
Size: 63KB - Virtual size: 62KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 8KB - Virtual size: 11KB

.rsrc
Size: 512B - Virtual size: 324B

�?�
Size: 97KB - Virtual size: 100KB

.text
Size: 17KB - Virtual size: 16KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 161KB - Virtual size: 162KB

.rsrc
Size: 2KB - Virtual size: 1KB

��
Size: 97KB - Virtual size: 100KB