gh0strat | eced9c2c0e6d2d141133dea4ebf2bd486e2fbeb1661da3db234f2e37ff82fe32

Sharing

Copy URL Twitter E-mail

General

Target

eced9c2c0e6d2d141133dea4ebf2bd486e2fbeb1661da3db234f2e37ff82fe32
Size

148KB
MD5

5033221ee4db84f62c8eae360262c7c2
SHA1

ff23292b2a17d342c6aaa5167f563aebe0e3238f
SHA256

eced9c2c0e6d2d141133dea4ebf2bd486e2fbeb1661da3db234f2e37ff82fe32
SHA512

dce8144638687897fca16bfe68e16cd6e46ff2b51f4ae1aa071ee58beaa37d6ed10c72068e44a4dd7faab75ed909dd6dddd8fd297165fdf1d6e158b0130bf5c1
SSDEEP

3072:Ya9hda3MN+xxziSpdEMFI+9n4zDs0MZiTKk2HKAXeasTw/:Yghdac8ziJ0ZQnaOe

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

eced9c2c0e6d2d141133dea4ebf2bd486e2fbeb1661da3db234f2e37ff82fe32
.exe windows x86

a82262c49018b03ea9113f13220d7048

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

OpenProcess
ExitThread
GetTickCount
MultiByteToWideChar
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
GetSystemDirectoryA
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
ReleaseMutex
OpenEventA
SetErrorMode
GetModuleFileNameA
ExitProcess
CreateMutexA
OutputDebugStringA
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
GetCurrentThreadId
MoveFileA
GetFileSize
WriteFile
SetFilePointer
ReadFile
CreateFileA
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateEventA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
FreeLibrary
GetWindowsDirectoryA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
LoadLibraryA
GetProcAddress
Sleep
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
TerminateProcess
GetModuleHandleA
RaiseException

gdi32

DeleteObject
CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
CreateCompatibleDC
CreateDIBSection
SelectObject

advapi32

GetTokenInformation
LookupAccountSidA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
OpenProcessToken
AdjustTokenPrivileges
OpenEventLogA
ClearEventLogA
CloseEventLog
RegCreateKeyExA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueA
RegCloseKey
LsaFreeMemory
LsaOpenPolicy
LsaRetrievePrivateData
LsaClose
LookupAccountNameA
IsValidSid

shell32

SHGetFileInfoA

msvcrt

??1type_info@@UAE@XZ
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
time
calloc
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_strnicmp
printf
_beginthreadex
sprintf
atol
strncat
exit
wcscpy
_errno
strncmp
__setusermatherr
srand
rand
atoi
strncpy
strrchr
_except_handler3
free
malloc
strchr
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
_initterm
??2@YAPAXI@Z
_strcmpi

winmm

waveOutPrepareHeader
waveOutGetNumDevs
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveOutOpen
waveOutClose
waveOutUnprepareHeader
waveOutReset
waveInClose
waveInUnprepareHeader
waveInAddBuffer
waveInStart
waveOutWrite
waveInStop
waveInReset

mfc42

ord922
ord858
ord6663
ord860
ord4278
ord939
ord6877
ord540
ord2818
ord800
ord924
ord926
ord537
ord6648
ord4129
ord2764
ord535

ws2_32

WSAGetLastError
__WSAFDIsSet
recvfrom
listen
accept
getpeername
bind
getsockname
gethostname
inet_ntoa
WSASocketA
inet_addr
htonl
sendto
send
select
closesocket
recv
ntohs
socket
gethostbyname
htons
connect
setsockopt
WSAStartup
WSACleanup
WSAIoctl

msvcp60

?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

netapi32

NetLocalGroupAddMembers
NetUserAdd

wininet

InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd

psapi

GetModuleFileNameExA
EnumProcessModules

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA

Sections

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 124KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a82262c49018b03ea9113f13220d7048

Headers

File Characteristics

Imports

kernel32

gdi32

advapi32

shell32

msvcrt

winmm

mfc42

ws2_32

msvcp60

netapi32

wininet

msvfw32

psapi

wtsapi32

Sections

.rdata Size: 16KB - Virtual size: 14KB

.data Size: 124KB - Virtual size: 128KB

.rsrc Size: 4KB - Virtual size: 16B

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 124KB - Virtual size: 128KB

.rsrc
Size: 4KB - Virtual size: 16B