gh0strat | c28976bd28f4cde37629d5f099cb502ab7e9fc7f25e5121c5104c1c91e0e3d2a

Sharing

Copy URL

Twitter E-mail

General

Target

c28976bd28f4cde37629d5f099cb502ab7e9fc7f25e5121c5104c1c91e0e3d2a
Size

100KB
MD5

5a1b951e8fbef3aaac9c4228a5f7d78f
SHA1

4cca8ac4c703713df8b2e7b22059f0eba073ec49
SHA256

c28976bd28f4cde37629d5f099cb502ab7e9fc7f25e5121c5104c1c91e0e3d2a
SHA512

bc21c454a906733ff376ca517b72fe74e1dcde467aac3e9e146880b2bf6b398f5bf23f5511dde11e49b49f11a426a01c8b5640fdf6ee2625ebae7167b750c73c
SSDEEP

1536:8y7lx524AmHDrNgOwEOOcuE2fxaMPJwfWKUzzMtAQGC:8OljZwEOOxEgxaMBwfWKU83J

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

c28976bd28f4cde37629d5f099cb502ab7e9fc7f25e5121c5104c1c91e0e3d2a
.dll windows x86

0af8648ac6eeb57e3ee1834afd08c266

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetDiskFreeSpaceExA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
DeleteFileA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
DeviceIoControl
GlobalMemoryStatus
GetVersionExA
OutputDebugStringA
OpenEventA
SetUnhandledExceptionFilter
SetErrorMode
GetCurrentProcess
lstrcatA
GetModuleFileNameA
CreateThread
GetStartupInfoA
GetWindowsDirectoryA
OpenProcess
InitializeCriticalSection
GetLocalTime
Process32Next
Process32First
TerminateThread
ResumeThread
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
PeekNamedPipe
WaitForMultipleObjects
lstrcmpiA
GetCurrentThreadId
CreateProcessA
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
ResetEvent
SetEvent
lstrcpyA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
GetTempPathA
LoadLibraryA
GetProcAddress
WaitForSingleObject
GetTickCount
Sleep
InterlockedExchange
CloseHandle
LoadLibraryW

user32

EnumWindows
DispatchMessageA
TranslateMessage
GetMessageA
DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
IsWindowVisible
GetKeyState
CreateWindowExA
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
GetWindowThreadProcessId
ExitWindowsEx
GetDesktopWindow
GetDC
SetCursorPos
mouse_event
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
CloseWindow
MessageBoxA
CharNextA
wsprintfA
SetProcessWindowStation
OpenWindowStationA
IsWindow
GetProcessWindowStation
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
WindowFromPoint
GetClipboardData
GetSystemMetrics
LoadCursorA
ReleaseDC
GetCursorInfo
GetCursorPos
SetRect

gdi32

CreateCompatibleDC
CreateDIBSection
CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
SelectObject
DeleteObject

advapi32

RegOpenKeyExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCreateKeyA
RegSetValueExA
RegCloseKey
RegQueryValueA
RegQueryValueExA
RegOpenKeyA

shell32

SHGetFileInfoA
ShellExecuteA

msvcrt

_strupr
??1type_info@@UAE@XZ
_strnicmp
_adjust_fdiv
_initterm
calloc
_beginthreadex
_errno
sprintf
strncmp
_iob
strncpy
exit
fopen
vfprintf
fclose
atoi
realloc
strrchr
_except_handler3
malloc
free
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z

winmm

waveInOpen
waveOutPrepareHeader
waveOutOpen
waveInPrepareHeader
waveOutClose
waveOutUnprepareHeader
waveOutReset
waveInClose
waveInAddBuffer
waveInStart
waveInGetNumDevs
waveOutGetNumDevs
waveInStop
waveInUnprepareHeader
waveInReset
waveOutWrite

ws2_32

ntohs
gethostbyname
recv
setsockopt
closesocket
select
send
__WSAFDIsSet
recvfrom
sendto
listen
accept
getpeername
bind
inet_addr
inet_ntoa
getsockname
gethostname
socket
htons
connect
WSAIoctl
WSACleanup
WSAStartup

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

msvfw32

ICSeqCompressFrame
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd
ICSeqCompressFrameStart

psapi

GetModuleFileNameExA
EnumProcessModules

Exports

Exports

FordBack
GetDllClassObject

Sections

.text
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0af8648ac6eeb57e3ee1834afd08c266

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

winmm

ws2_32

msvcp60

wininet

msvfw32

psapi

Exports

Exports

Sections

.text Size: 70KB - Virtual size: 69KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 12KB - Virtual size: 15KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 70KB - Virtual size: 69KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 12KB - Virtual size: 15KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 4KB - Virtual size: 4KB