gh0strat | c16a6311bb4b82782a2204174fabd73e5e340b9179232d7ef0f50ddeea6c5ac3

Sharing

Copy URL Twitter E-mail

General

Target

c16a6311bb4b82782a2204174fabd73e5e340b9179232d7ef0f50ddeea6c5ac3
Size

19KB
MD5

b2925c6ef35452f0e6c5964f885733e5
SHA1

0d40bd5883cdd630e641d24a7c66df66b8bda4f0
SHA256

c16a6311bb4b82782a2204174fabd73e5e340b9179232d7ef0f50ddeea6c5ac3
SHA512

ed59acfab76b4cd02b9f5c664b52600254ca2e83d670fdc06a404e12c6aa78cc2581b3b8d15133c1233f0ba8c233b9aeec201a1ca931ab7b5f71c460c42451d9
SSDEEP

384:MUXWFZ2eNTNWbchM2YPyoCAQb4CVmryFY+pQdUA1A56DMDq7sXP9n:MUShPfY6oC6CXY+pQdUA10DqS9

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

c16a6311bb4b82782a2204174fabd73e5e340b9179232d7ef0f50ddeea6c5ac3
.dll windows x86

6a9543d1275fd4fa2298e96512be45d5

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleFileNameA
DeleteFileA
CreateMutexA
SetLastError
GetVersionExA
FreeConsole
OpenProcess
MoveFileA
GetSystemDirectoryA
lstrcmpiA
CreateFileA
Process32First
CreateToolhelp32Snapshot
lstrcpyA
GetTempPathA
GetPrivateProfileStringA
FreeLibrary
GetCurrentProcess
GetLastError
Sleep
CancelIo
InterlockedExchange
SetEvent
GetWindowsDirectoryA
lstrcatA
GetFileAttributesA
lstrlenA
GetTickCount
LoadLibraryA
GetProcAddress
InitializeCriticalSection
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
Process32Next

user32

wsprintfA

advapi32

StartServiceA
RegSaveKeyA
RegRestoreKeyA
RegCreateKeyExA
RegSetValueExA
RegDeleteKeyA
RegDeleteValueA
OpenSCManagerA
OpenServiceA
CloseServiceHandle
RegOpenKeyExA
SetServiceStatus
RegisterServiceCtrlHandlerA
RegOpenKeyA
RegQueryValueExA
RegCloseKey
OpenProcessToken
LookupPrivilegeValueA
DuplicateTokenEx
SetTokenInformation
AdjustTokenPrivileges
CreateProcessAsUserA
CreateServiceA
RegCreateKeyA

psapi

GetProcessMemoryInfo

msvcrt

malloc
_strnicmp
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
__CxxFrameHandler
rand
srand
fclose
fwrite
fopen
??2@YAPAXI@Z
atoi
strncpy
wcstombs
_except_handler3
strtok
_beginthreadex
strncat
strchr
realloc
_strcmpi
free
_initterm
_adjust_fdiv

ws2_32

htons
gethostbyname
socket
select
setsockopt
closesocket
send
WSAStartup
WSACleanup
WSAIoctl
recv

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

Exports

Exports

CodeMain
ServiceMain
XXX

Sections

.text
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6a9543d1275fd4fa2298e96512be45d5

Headers

File Characteristics

Imports

kernel32

user32

advapi32

psapi

msvcrt

ws2_32

wtsapi32

userenv

Exports

Exports

Sections

.text Size: 11KB - Virtual size: 11KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 1024B - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 832B

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 11KB - Virtual size: 11KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 832B

.reloc
Size: 1KB - Virtual size: 1KB