gh0strat | 0ac2d4d8f3063a91cfcf52abfb4e0514c1cf4de0ed5419f1d99031e745961df2

Sharing

Copy URL Twitter E-mail

General

Target

0ac2d4d8f3063a91cfcf52abfb4e0514c1cf4de0ed5419f1d99031e745961df2
Size

415KB
MD5

56f55b8a4e2a91fbc808430856dd8d0b
SHA1

9dd2b84f98b41dedb650bddec33f923d236cbec3
SHA256

0ac2d4d8f3063a91cfcf52abfb4e0514c1cf4de0ed5419f1d99031e745961df2
SHA512

8b13843472a892b27c915e3353a1fc4fb88038184d25b17983086178f3b3389bfb4530b8bf8bc38e61dd6685f8227f38d00cdc97f683b0a6b4bb60ec20501dc4
SSDEEP

12288:W0JwriOqpRKufepePy2qmw+U4MtRT3Cg+:WRriIpePybmLUxjT3w

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

0ac2d4d8f3063a91cfcf52abfb4e0514c1cf4de0ed5419f1d99031e745961df2
.exe windows x86

4703d0687cd7d1991da5ad93396d72a3

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

1e:b0:f4:d8:21:e2:39:ba:81:b3:d1:0e:61:b7:61:5b
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

30/05/2014, 00:00

Not After

30/05/2015, 23:59

Subject

CN=Guangxi Nanning Shengtai'an E-Business Development CO.LTD,O=Guangxi Nanning Shengtai'an E-Business Development CO.LTD,L=Guangxi,ST=Nanning,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

39:d7:e7:02:68:cd:03:09:6a:2a:78:bb:c5:d3:aa:1e:6e:14:36:ee
Signer

Actual PE Digest

39:d7:e7:02:68:cd:03:09:6a:2a:78:bb:c5:d3:aa:1e:6e:14:36:ee

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Guangxi Nanning Shengtai'an E-Business Development CO.LTD,O=Guangxi Nanning Shengtai'an E-Business Development CO.LTD,L=Guangxi,ST=Nanning,C=CN

13/04/2015, 10:15
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentThreadId
lstrcmpiA
GlobalSize
HeapAlloc
GetSystemDirectoryA
GetTempPathA
MoveFileExA
SetFileAttributesA
CreateThread
OutputDebugStringA
TerminateThread
GetWindowsDirectoryA
lstrcatA
GetProcessHeap
HeapFree
SetLastError
MoveFileA
SetFilePointer
ReadFile
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
lstrcpyA
GetFileAttributesA
CreateDirectoryA
DeleteFileA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CancelIo
InterlockedExchange
SetEvent
ResetEvent
CreateEventA
GlobalFree
GlobalAlloc
GlobalLock
GlobalUnlock
GetCommandLineA
CreateMutexA
CopyFileA
GetLastError
GetModuleFileNameA
CreateFileA
WriteFile
ExitProcess
OpenEventA
WaitForSingleObject
GetTickCount
GetVersionExA
LoadLibraryA
GetProcAddress
GetCurrentProcess
CloseHandle
FreeLibrary
GetProfileStringA
SetEnvironmentVariableA
CompareStringW
CompareStringA
Sleep
lstrlenA
IsBadCodePtr
IsBadReadPtr
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
HeapCreate
HeapDestroy
GetEnvironmentVariableA
GetVersion
GlobalAddAtomA
GlobalGetAtomNameA
lstrcpynA
GetModuleHandleA
GlobalDeleteAtom
GlobalFindAtomA
LockResource
LoadResource
FindResourceA
MulDiv
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte
MultiByteToWideChar
ResumeThread
SetThreadPriority
SuspendThread
FormatMessageA
GetCurrentThread
lstrcmpA
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetTempFileNameA
GetFullPathNameA
SetFileTime
GetFileTime
GetDiskFreeSpaceA
DuplicateHandle
FlushFileBuffers
LockFile
UnlockFile
SetEndOfFile
GetStringTypeExA
GetThreadLocale
GetShortPathNameA
TlsAlloc
GlobalHandle
TlsFree
GlobalReAlloc
TlsSetValue
TlsGetValue
GlobalFlags
GetProcessVersion
GetCPInfo
GetOEMCP
SizeofResource
LocalFileTimeToFileTime
SystemTimeToFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCurrentDirectoryA
SetErrorMode
RtlUnwind
HeapReAlloc
RaiseException
TerminateProcess
ExitThread
GetStartupInfoA
SetStdHandle
GetFileType
HeapSize
GetTimeZoneInformation
GetACP
IsBadWritePtr

user32

SetActiveWindow
ReuseDDElParam
UnpackDDElParam
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetDlgCtrlID
SetWindowPos
GetKeyState
SetWindowLongA
GetDlgItem
CopyRect
EqualRect
GetFocus
IsIconic
IsWindowVisible
BringWindowToTop
GetLastActivePopup
GetWindowRect
GetWindowPlacement
IntersectRect
OffsetRect
SetForegroundWindow
GetForegroundWindow
GetMessagePos
GetMessageTime
DefWindowProcA
RemovePropA
CallWindowProcA
GetPropA
UnhookWindowsHookEx
SetPropA
GetClassLongA
CallNextHookEx
SetWindowsHookExA
CreateWindowExA
DestroyWindow
GetWindowTextA
GetWindowTextLengthA
RegisterClassA
IsChild
GetTopWindow
SetScrollPos
GetScrollPos
SetScrollRange
GetScrollRange
ShowScrollBar
SetScrollInfo
GetScrollInfo
ScrollWindow
EndDeferWindowPos
BeginDeferWindowPos
DeferWindowPos
ScreenToClient
AdjustWindowRectEx
DispatchMessageA
GetSysColor
MapWindowPoints
SendDlgItemMessageA
GetMenu
IsDialogMessageA
SetWindowTextA
MoveWindow
GetNextDlgTabItem
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
LoadBitmapA
GetMenuCheckMarkDimensions
IsZoomed
PtInRect
SetParent
WinHelpA
AppendMenuA
DeleteMenu
GetSystemMenu
ClientToScreen
GetWindowDC
BeginPaint
EndPaint
TabbedTextOutA
DrawTextA
GrayStringA
CreateDialogIndirectParamA
EndDialog
ValidateRect
TranslateMessage
GetMessageA
PostQuitMessage
ShowOwnedPopups
SetWindowContextHelpId
MapDialogRect
FindWindowA
FillRect
CharUpperA
InflateRect
GetClassNameA
GetSysColorBrush
LoadStringA
SetTimer
KillTimer
InvertRect
GetDCEx
LockWindowUpdate
InsertMenuA
GetMenuStringA
DestroyIcon
CopyAcceleratorTableA
UnregisterClassA
MessageBeep
RegisterClipboardFormatA
PostThreadMessageA
IsWindowUnicode
DefDlgProcA
DrawFocusRect
ExcludeUpdateRgn
ShowCaret
HideCaret
LoadIconA
GetClassInfoA
LoadMenuA
DestroyMenu
SetFocus
GetParent
GetActiveWindow
ShowWindow
GetWindowLongA
IsWindow
EnableWindow
SendMessageA
wsprintfA
UpdateWindow
MessageBoxA
InvalidateRect
GetDC
GetClientRect
CharNextA
LoadCursorA
DestroyCursor
SystemParametersInfoA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
GetWindow
IsWindowEnabled
SetClipboardData
EmptyClipboard
IsRectEmpty
SetMenu
SetCursor
PeekMessageA
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetCapture
ReleaseCapture
TranslateAcceleratorA
LoadAcceleratorsA
SetRectEmpty
RegisterWindowMessageA
GetNextDlgGroupItem
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
GetCursorPos
GetCursorInfo
ReleaseDC
GetDesktopWindow

gdi32

SetTextAlign
ExcludeClipRect
SelectClipRgn
ScaleWindowExtEx
SetWindowExtEx
SetWindowOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
CreateDIBitmap
GetTextExtentPointA
GetBkColor
GetTextColor
CreateFontIndirectA
CombineRgn
SetRectRgn
GetMapMode
DPtoLP
LPtoDP
Escape
ExtTextOutA
TextOutA
RectVisible
CreatePatternBrush
CreateSolidBrush
GetWindowExtEx
GetViewportExtEx
GetDeviceCaps
CreateRectRgn
SelectObject
CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
GetDIBits
CreateCompatibleBitmap
SetViewportOrgEx
SetMapMode
SetBkMode
GetStockObject
RestoreDC
SaveDC
CreateFontA
GetCharWidthA
StretchDIBits
GetTextMetricsA
GetTextExtentPoint32A
CreateRectRgnIndirect
PatBlt
CreateBitmap
GetObjectA
SetBkColor
SetTextColor
GetClipBox
IntersectClipRect
PtVisible

advapi32

RegCreateKeyA
DeleteService
RegQueryValueA
StartServiceCtrlDispatcherA
OpenSCManagerA
CreateServiceA
OpenServiceA
StartServiceA
RegSetValueExA
CloseServiceHandle
RegisterServiceCtrlHandlerA
SetServiceStatus
RegOpenKeyExA
RegOpenKeyA
RegQueryValueExA
RegCloseKey
RegEnumKeyA
SetFileSecurityA
GetFileSecurityA
RegSetValueA
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA

shell32

ExtractIconA
DragAcceptFiles
SHGetSpecialFolderPathA
SHGetFileInfoA
ShellExecuteA
SHBrowseForFolderA
SHGetPathFromIDListA
DragFinish
DragQueryFileA

ole32

OleIsCurrentClipboard
CoRegisterMessageFilter
OleFlushClipboard
OleUninitialize
OleInitialize
CoTaskMemAlloc
CoTaskMemFree
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
CoGetClassObject
CLSIDFromString
CLSIDFromProgID
CoRevokeClassObject
CoFreeUnusedLibraries
CreateStreamOnHGlobal
CoUninitialize
CoInitialize

oleaut32

SysStringLen
SysAllocStringByteLen
SysAllocString
VariantChangeType
VariantCopy
VariantTimeToSystemTime
VariantClear
SysAllocStringLen
OleLoadPicture
SysFreeString

comctl32

ord17

oledlg

ord8

olepro32

ord253

wininet

InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetQueryOptionA
InternetSetStatusCallback
InternetSetFilePointer
InternetWriteFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetGetLastResponseInfoA

ws2_32

WSAIoctl
setsockopt
connect
WSACleanup
gethostbyname
socket
send
recv
getsockname
htons
WSAStartup
closesocket
select

winspool.drv

ClosePrinter
OpenPrinterA
DocumentPropertiesA

comdlg32

GetSaveFileNameA
GetFileTitleA
GetOpenFileNameA

Sections

.text
Size: 288KB - Virtual size: 285KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4703d0687cd7d1991da5ad93396d72a3

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

1e:b0:f4:d8:21:e2:39:ba:81:b3:d1:0e:61:b7:61:5bCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

39:d7:e7:02:68:cd:03:09:6a:2a:78:bb:c5:d3:aa:1e:6e:14:36:eeSigner

Signature Validations

Verification

13/04/2015, 10:15 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

comctl32

oledlg

olepro32

wininet

ws2_32

winspool.drv

comdlg32

Sections

.text Size: 288KB - Virtual size: 285KB

.rdata Size: 76KB - Virtual size: 75KB

.data Size: 24KB - Virtual size: 39KB

.rsrc Size: 16KB - Virtual size: 16KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

1e:b0:f4:d8:21:e2:39:ba:81:b3:d1:0e:61:b7:61:5b
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

39:d7:e7:02:68:cd:03:09:6a:2a:78:bb:c5:d3:aa:1e:6e:14:36:ee
Signer

13/04/2015, 10:15
Valid: false

.text
Size: 288KB - Virtual size: 285KB

.rdata
Size: 76KB - Virtual size: 75KB

.data
Size: 24KB - Virtual size: 39KB

.rsrc
Size: 16KB - Virtual size: 16KB