gh0strat | b5ec2afaf29582cec349d496067ac153d16debb0e03b45f8c5717c532e095755

Sharing

Copy URL Twitter E-mail

General

Target

b5ec2afaf29582cec349d496067ac153d16debb0e03b45f8c5717c532e095755
Size

87KB
MD5

3424be3e5b85265e93931e621d0dc644
SHA1

2c8d5d00dc02ded5877de6d96f2473d5b1041bbd
SHA256

b5ec2afaf29582cec349d496067ac153d16debb0e03b45f8c5717c532e095755
SHA512

d0462ee26552c6f4cf397d85daf53cec3f94282d4a2c718e439e8222fe3af5345e4a453392ee5f8a8802c6c869f5389f2eae4c285fc7420d6dc75148f513d629
SSDEEP

1536:VXFLYCFAjtCTaHPO/RcrUlfR/uEeJtLUGqxej:VXDKjtCUkRoUdR/u9FUGqxej

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

b5ec2afaf29582cec349d496067ac153d16debb0e03b45f8c5717c532e095755
.dll windows x86

2960d51a18581ae15326af11c843043f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalSize
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
GetVersionExA
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
ExpandEnvironmentStringsA
GetLocalTime
MoveFileExA
GetSystemDirectoryA
TerminateThread
GetTickCount
OpenProcess
LoadLibraryA
GetProcAddress
FreeLibrary
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
GetCurrentProcess
SetLastError
GetModuleFileNameA
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
CreateProcessA
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
InitializeCriticalSection
Sleep
CancelIo
InterlockedExchange
SetEvent
lstrcpyA
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
GetSystemInfo

user32

SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
LoadCursorA
BlockInput
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
PostMessageA
OpenClipboard
DestroyCursor
EmptyClipboard
CharNextA
wsprintfA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
EnumWindows
GetWindowTextA
IsWindowVisible
ExitWindowsEx
GetWindowThreadProcessId

gdi32

DeleteDC
CreateCompatibleDC
GetDIBits
CreateCompatibleBitmap
BitBlt
DeleteObject
SelectObject
CreateDIBSection

advapi32

OpenServiceA
QueryServiceStatus
ControlService
DeleteService
CloseServiceHandle
RegOpenKeyExA
RegQueryValueA
RegCloseKey
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceA
LockServiceDatabase
ChangeServiceConfigA
OpenSCManagerA
RegSetValueExA
RegCreateKeyA
RegQueryValueExA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegQueryInfoKeyA
EnumServicesStatusA
QueryServiceConfigA
UnlockServiceDatabase

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

strncpy
_strnicmp
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
_beginthreadex
wcstombs
atoi
realloc
strchr
strncat
_strcmpi
strrchr
_except_handler3
malloc
free
_CxxThrowException
??2@YAPAXI@Z
__CxxFrameHandler
strstr
_ftol
ceil
memmove
??3@YAXPAX@Z

ws2_32

closesocket
recv
select
socket
send
gethostname
getsockname
ntohs
htons
connect
setsockopt
WSAIoctl
WSACleanup
WSAStartup
gethostbyname

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

wininet

InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetCloseHandle

avicap32

capGetDriverDescriptionA

psapi

EnumProcessModules
GetModuleFileNameExA

Exports

Exports

ServiceMain

Sections

.text
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2960d51a18581ae15326af11c843043f

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

ws2_32

msvcp60

wininet

avicap32

psapi

Exports

Exports

Sections

.text Size: 61KB - Virtual size: 61KB

.rdata Size: 12KB - Virtual size: 12KB

.data Size: 6KB - Virtual size: 7KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 61KB - Virtual size: 61KB

.rdata
Size: 12KB - Virtual size: 12KB

.data
Size: 6KB - Virtual size: 7KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB