gh0strat | a14f25455a55ddd0c80dffac4af7395ed964de9d9ccbb160981c506927eece36

Sharing

Copy URL Twitter E-mail

General

Target

a14f25455a55ddd0c80dffac4af7395ed964de9d9ccbb160981c506927eece36
Size

123KB
MD5

8f34b159c87092488d8a7bae7d4b3608
SHA1

50fb3665a758f229019cef4e42aebed489214f32
SHA256

a14f25455a55ddd0c80dffac4af7395ed964de9d9ccbb160981c506927eece36
SHA512

1c0ce4a69918065d1a90491392433d6ac252b06ad99e7e038e9e0748d95c2a9ea46a5383e7028559df3ac40c82e286b38c770bd4e581104fb7bd6168634c1fd6
SSDEEP

1536:AY0KevCbvsfm7wzOD2HJrc3uJf4BSONNhYEOhj2BkUanqdG:AYAvCb52HJrcuJ4BSONXYEOhyBkUuSG

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

a14f25455a55ddd0c80dffac4af7395ed964de9d9ccbb160981c506927eece36
.exe windows x86

3dc4ae22c447d4321a9d0bbcc6cbdfa2

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

37:c4:33:d7:d6:66:a1:0b:89:12:64:3d:c0:d6:29:50
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

23/09/2012, 00:00

Not After

23/12/2013, 23:59

Subject

CN=Industrial and Commercial Bank of China Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Software Development Center,O=Industrial and Commercial Bank of China Limited,L=BEIJING,ST=BEIJING,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

53:41:a3:9c:51:8a:57:9e:ad:6e:80:22:32:be:73:54:52:5d:24:db
Signer

Actual PE Digest

53:41:a3:9c:51:8a:57:9e:ad:6e:80:22:32:be:73:54:52:5d:24:db

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Industrial and Commercial Bank of China Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Software Development Center,O=Industrial and Commercial Bank of China Limited,L=BEIJING,ST=BEIJING,C=CN

12/07/2013, 08:26
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_strnicmp
memmove
ceil
atoi
rand
srand
time
printf
exit
strncat
strchr
clock
_beginthreadex
calloc
??1type_info@@UAE@XZ
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
??3@YAXPAX@Z
_controlfp
_ftol
strstr
__CxxFrameHandler
_CxxThrowException
??2@YAPAXI@Z
free
strrchr
_except_handler3
malloc

kernel32

lstrcmpiA
RaiseException
GetStartupInfoA
GetModuleHandleA
CreateToolhelp32Snapshot
Process32First
Process32Next
LocalSize
CreateMutexA
CopyFileA
SetFileAttributesA
SetErrorMode
OpenEventA
ReleaseMutex
GetVersionExA
GetSystemInfo
GlobalMemoryStatus
WaitForMultipleObjects
PeekNamedPipe
TerminateProcess
DisconnectNamedPipe
CreatePipe
GetSystemDirectoryA
GlobalSize
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
lstrcpyA
GetProcAddress
LoadLibraryA
SetEvent
InterlockedExchange
CancelIo
Sleep
DeleteFileA
GetLastError
CreateDirectoryA
GetFileAttributesA
lstrlenA
CreateProcessA
lstrcatA
GetLogicalDriveStringsA
FindClose
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
GetCurrentProcess
FreeLibrary
OpenProcess
CreateThread
GetTickCount
TerminateThread
WinExec
OutputDebugStringA
GetModuleFileNameA

user32

GetThreadDesktop
CloseWindow
IsWindow
PostMessageA
CreateWindowExA
CharNextA
wsprintfA
LoadCursorA
DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
EnumWindows
GetWindowTextA
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
GetCursorPos
GetCursorInfo

gdi32

CreateDIBSection
GetDIBits
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC

shell32

SHGetSpecialFolderPathA

ws2_32

WSAGetLastError
inet_ntoa
htonl
sendto
inet_addr
gethostname
select
closesocket
recv
ntohs
socket
gethostbyname
getsockname
send
htons
connect
setsockopt
WSAStartup
WSACleanup
WSAIoctl

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB

mfc42

ord2818
ord537
ord6648
ord2764
ord4129
ord926
ord924
ord922
ord535
ord858
ord540
ord800
ord6877
ord939
ord4278
ord860
ord6663

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

Sections

.text
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3dc4ae22c447d4321a9d0bbcc6cbdfa2

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

37:c4:33:d7:d6:66:a1:0b:89:12:64:3d:c0:d6:29:50Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

53:41:a3:9c:51:8a:57:9e:ad:6e:80:22:32:be:73:54:52:5d:24:dbSigner

Signature Validations

Verification

12/07/2013, 08:26 Valid: false

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

gdi32

shell32

ws2_32

msvcp60

mfc42

avicap32

Sections

.text Size: 72KB - Virtual size: 71KB

.rdata Size: 16KB - Virtual size: 13KB

.data Size: 8KB - Virtual size: 12KB

.rsrc Size: 16KB - Virtual size: 14KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

37:c4:33:d7:d6:66:a1:0b:89:12:64:3d:c0:d6:29:50
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

53:41:a3:9c:51:8a:57:9e:ad:6e:80:22:32:be:73:54:52:5d:24:db
Signer

12/07/2013, 08:26
Valid: false

.text
Size: 72KB - Virtual size: 71KB

.rdata
Size: 16KB - Virtual size: 13KB

.data
Size: 8KB - Virtual size: 12KB

.rsrc
Size: 16KB - Virtual size: 14KB