gh0strat | 81945a0e6623cc42bcea49e3365cb320d809796c53dd1131f35c908d514e057b

Sharing

Copy URL

Twitter E-mail

General

Target

81945a0e6623cc42bcea49e3365cb320d809796c53dd1131f35c908d514e057b
Size

164KB
MD5

35fe821060b2bf5f8e7289154bde8f21
SHA1

5b9571d2912dd100e6278c64e418539afda1e2c8
SHA256

81945a0e6623cc42bcea49e3365cb320d809796c53dd1131f35c908d514e057b
SHA512

c204dacc5eff461e46ccb7f8a1c2bb8384ad2055c15b9fda7f652d5751efe19866d41bb9775f5a90150f8b11da0f74670d20259f53c1ab7271cd58c8b32b7a4b
SSDEEP

3072:PhLTh+1Qzh8PWqFbwAiIwFemjYJelno7koBlxfAr:5LtJ8PdFylemjsw2kux

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

81945a0e6623cc42bcea49e3365cb320d809796c53dd1131f35c908d514e057b
.dll windows x86

dd579aea5d43935fe9b3ea5449cfcb4a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WaitForSingleObject
SetEvent
FreeLibrary
CloseHandle
Sleep
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
GetLastError
ResetEvent
InterlockedExchange
CancelIo
GetTickCount
GetLocalTime
GetCurrentProcessId
HeapAlloc
GetProcessHeap
DeleteFileA
CreateDirectoryA
GetFileAttributesA
lstrcpyA
lstrlenA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
LocalReAlloc
LocalAlloc
GetFileSize
ReadFile
SetFilePointer
MoveFileA
CreateProcessA
LoadLibraryA
CreateThread
TerminateThread
lstrcmpiA
HeapFree
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
GetModuleHandleA
LocalSize
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
WaitForMultipleObjects
TerminateProcess
CreateToolhelp32Snapshot
Process32Next
Process32First
OutputDebugStringA
lstrcatA
GlobalMemoryStatus
GetVersionExA
GetCurrentProcess
SetLastError
DuplicateHandle
CreateFileA
OpenProcess
OpenEventA
SetErrorMode
GetModuleFileNameA
FreeConsole
WinExec
CopyFileA
ExpandEnvironmentStringsA
MultiByteToWideChar
RaiseException
GetProcAddress

user32

LoadMenuA
CreateWindowExA
CloseWindow
IsWindow
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetCursorPos
DestroyCursor
ReleaseDC
GetDesktopWindow
RegisterClassA
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
SetCapture
MapVirtualKeyA
keybd_event
SendMessageA
BlockInput
LoadCursorA
MessageBoxA
GetWindowTextA
wsprintfA
CharNextA
LoadIconA
GetDC
DispatchMessageA
TranslateMessage
GetMessageA
WindowFromPoint

gdi32

GetStockObject

shell32

SHGetSpecialFolderPathA

msvcrt

_strcmpi
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
srand
_access
wcstombs
_beginthreadex
_snprintf
strchr
atoi
wcscpy
strrchr
_except_handler3
malloc
free
strncpy
sprintf
rand
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
puts
??3@YAXPAX@Z
_stricmp
_strrev
putchar
??2@YAPAXI@Z

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

netapi32

NetLocalGroupAddMembers
NetUserAdd

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

Exports

Exports

CaoniM
ForEnd
HinWork
Nod32api
main

Sections

.text
Size: 136KB - Virtual size: 136KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

dd579aea5d43935fe9b3ea5449cfcb4a

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

msvcrt

msvcp60

netapi32

wtsapi32

userenv

Exports

Exports

Sections

.text Size: 136KB - Virtual size: 136KB

.rsrc Size: 8KB - Virtual size: 8KB

.reloc Size: 16KB - Virtual size: 16KB

.text
Size: 136KB - Virtual size: 136KB

.rsrc
Size: 8KB - Virtual size: 8KB

.reloc
Size: 16KB - Virtual size: 16KB