gh0strat | 6774c28fd2e4bc2743156766c0c44b35dcff9165a2b4cb12316c30fba9edfd44

Sharing

Copy URL Twitter E-mail

General

Target

6774c28fd2e4bc2743156766c0c44b35dcff9165a2b4cb12316c30fba9edfd44
Size

112KB
MD5

97a7f56310603390f098e3e511ae4240
SHA1

94063d96ff29967cb9e870ae580e2d58b1050027
SHA256

6774c28fd2e4bc2743156766c0c44b35dcff9165a2b4cb12316c30fba9edfd44
SHA512

71f09e403f974bf9bd436038a04330611d682d3ec03a596ba71e3c631a2f68fe81e21529ed727f1d0ab55c3e637c067ac02f2259943eb2fa91d8da0b4b7f3d19
SSDEEP

1536:eNvD8NEqiN7n4tyo0c3fqRcS2c5X5SjApDijyjOq3S2s1d:eNuEqQ74tyo0uqRcAnSUpDi2jOq3S2s

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

6774c28fd2e4bc2743156766c0c44b35dcff9165a2b4cb12316c30fba9edfd44
.dll windows x86

b4914db19861a4b1241f00f4f6da8ff7

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatus
ReleaseMutex
OpenEventA
SetErrorMode
SetUnhandledExceptionFilter
DisconnectNamedPipe
DisableThreadLibraryCalls
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
GlobalAlloc
GlobalLock
GlobalUnlock
CreatePipe
GetStartupInfoA
ExpandEnvironmentStringsA
GlobalSize
GetCurrentProcess
GetModuleFileNameA
CopyFileA
SetFileAttributesA
GetSystemDirectoryA
GlobalFree
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetDiskFreeSpaceExA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
GetVersionExA
lstrcatA
lstrlenA
lstrcpyA
CancelIo
InterlockedExchange
Sleep
ResetEvent
LoadLibraryA
GetProcAddress
VirtualAlloc
EnterCriticalSection
CreateEventA
LeaveCriticalSection
VirtualFree
UnmapViewOfFile
HeapAlloc
GetProcessHeap
HeapFree
CreateFileMappingA
MapViewOfFile
GetLocalTime
GetTickCount
SetLastError
DeleteCriticalSection
InitializeCriticalSection
CreateThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
GetWindowsDirectoryA

user32

MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetCursorPos
GetCursorInfo
keybd_event
GetDC
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
RegisterClassA
LoadIconA
CreateWindowExA
LoadMenuA
ExitWindowsEx
PostMessageA
GetUserObjectInformationA
SystemParametersInfoA
SendMessageA
BlockInput
DestroyCursor
LoadCursorA
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
GetKeyNameTextA
ReleaseDC
wsprintfA
CharNextA
GetWindowTextA
GetActiveWindow
OpenInputDesktop
CloseWindowStation
CloseDesktop
GetThreadDesktop
OpenDesktopA
SetThreadDesktop

gdi32

BitBlt
DeleteDC
DeleteObject
GetDIBits
CreateCompatibleDC
CreateDIBSection
SelectObject
GetStockObject
CreateCompatibleBitmap
CreateDCA

advapi32

RegQueryValueA
RegCloseKey
CloseServiceHandle
DeleteService
OpenServiceA
OpenSCManagerA
RegSetValueExA
RegCreateKeyA
RegQueryValueExA
RegOpenKeyA
RegCreateKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegEnumKeyExA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
SetServiceStatus
RegSaveKeyA
RegRestoreKeyA
StartServiceA
RegisterServiceCtrlHandlerA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
RegOpenKeyExA

shell32

SHGetFileInfoA

msvcrt

_stricmp
_strrev
_strcmpi
__dllonexit
_strnicmp
_adjust_fdiv
_initterm
_onexit
_strlwr
??1type_info@@UAE@XZ
calloc
_beginthreadex
srand
wcstombs
rand
sprintf
_access
strcspn
strncat
atoi
strncpy
strcat
strrchr
_except_handler3
free
strcmp
strcpy
malloc
strchr
_CxxThrowException
strstr
strlen
_ftol
ceil
memmove
__CxxFrameHandler
putchar
memcpy
??3@YAXPAX@Z
??2@YAPAXI@Z
memset

ws2_32

WSAStartup
getsockname
WSACleanup
WSAIoctl
setsockopt
htons
gethostbyname
socket
send
recv
select
closesocket
gethostname
connect

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

wininet

InternetOpenA
InternetReadFile
InternetCloseHandle
InternetOpenUrlA

avicap32

capGetDriverDescriptionA

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

Exports

Exports

MsgBox
MyNewFun
addNumbers
wintest

Sections

.text
Size: 52KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Socket
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Info
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b4914db19861a4b1241f00f4f6da8ff7

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

msvcp60

imm32

wininet

avicap32

wtsapi32

userenv

Exports

Exports

Sections

.text Size: 52KB - Virtual size: 49KB

.Socket Size: 4KB - Virtual size: 2KB

.Info Size: 16KB - Virtual size: 12KB

.rdata Size: 16KB - Virtual size: 12KB

.data Size: 8KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 5KB

.text
Size: 52KB - Virtual size: 49KB

.Socket
Size: 4KB - Virtual size: 2KB

.Info
Size: 16KB - Virtual size: 12KB

.rdata
Size: 16KB - Virtual size: 12KB

.data
Size: 8KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 5KB