gh0strat | e0c956b61d3dcff8df9636ae5732ef6d80ee8b845430f822ad10588fea0958e8

Sharing

Copy URL Twitter E-mail

General

Target

e0c956b61d3dcff8df9636ae5732ef6d80ee8b845430f822ad10588fea0958e8
Size

3.2MB
MD5

4f83b9192ebe803359583562a2401d40
SHA1

6f0c58ab29a3caa9eed297582c885969c5b922de
SHA256

e0c956b61d3dcff8df9636ae5732ef6d80ee8b845430f822ad10588fea0958e8
SHA512

464279b0583cdd2047b62a312c282d5522f54a97f64fd38e1146267a29cecb2962971e497374343e1429009c705599707d1b3e81b66600b36ed9a405cfa9fcaa
SSDEEP

3072:9ou4YqjEtv5+VsPYmHxn22qegSZo2Ipp/ArTBft2gdUAAaDYLQXTob+GzTmF:yJYB5rb2zSZxIr/ArTBl22XELQXFCiF

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

e0c956b61d3dcff8df9636ae5732ef6d80ee8b845430f822ad10588fea0958e8
.dll regsvr32 windows x86

e48fa66782aff140e0699908053dc91a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

oleaut32

SysStringLen
SysAllocString
SysFreeString

user32

ShowWindow
EnableWindow
GetWindowRect
CreateWindowExA
GetWindow
LoadCursorA
DestroyCursor
PtInRect
wsprintfA
wvsprintfA
GetClassNameA
GetCursorInfo
CloseWindowStation
CopyRect
SendMessageTimeoutA
DestroyWindow
MessageBoxA

shell32

SHFileOperationA

advapi32

RegisterServiceCtrlHandlerExA
QueryServiceStatusEx
RegSaveKeyA
RegRestoreKeyA
RegOpenKeyExW

ole32

CoUninitialize
CoInitialize
CoTaskMemFree
CoCreateInstance

shlwapi

SHDeleteKeyA

kernel32

ExitThread
RemoveDirectoryA
DeleteFileA
GlobalMemoryStatusEx
GetProcessTimes
GetSystemInfo
GetVersionExA
GetPrivateProfileSectionNamesA
IsBadReadPtr
FreeLibrary
LeaveCriticalSection
InterlockedExchange
GetLongPathNameA
GetCurrentProcess
GetTempPathA
SetEnvironmentVariableA
MultiByteToWideChar
IsBadStringPtrW
GlobalFree
GlobalAlloc
GetTempFileNameA
GetPrivateProfileStringA
InitializeCriticalSection
lstrcmpA
GetFileAttributesExA
GetShortPathNameA
GetCurrentThreadId
GetCurrentProcessId
GetProcAddress
WinExec
GetLastError
lstrcmpiA
GetModuleHandleA
VirtualQuery
GetModuleFileNameA
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
IsBadWritePtr
GetTickCount
ExitProcess
GetSystemDirectoryA
GlobalUnlock
GlobalLock
GlobalSize
HeapFree
GetProcessHeap
HeapAlloc
GetCommandLineA

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

ws2_32

recv
WSACleanup
WSAIoctl
setsockopt
shutdown
getsockname
send
closesocket
select
connect
gethostname
gethostbyname
socket
WSAStartup

msvcrt

rand
srand
time
_ftol
strchr
_except_handler3
strrchr
memmove
realloc
ceil
wcslen
atoi
wcstombs
_CxxThrowException
_beginthreadex
_callnewh
strncat
atol
_memicmp
_strlwr
_stricmp
_strupr
_wcsicmp
_initterm
_adjust_fdiv
__dllonexit
_onexit
??1type_info@@UAE@XZ
malloc
free
__CxxFrameHandler

Exports

Exports

??0CComPlusComponent@@QAE@ABV0@@Z
??0CComPlusInterface@@QAE@ABV0@@Z
??0CComPlusMethod@@QAE@ABV0@@Z
??0CComPlusObject@@QAE@ABV0@@Z
??1CComPlusComponent@@UAE@XZ
??1CComPlusInterface@@UAE@XZ
??4CComPlusComponent
??4CComPlusInterface@@QAEAAV0@ABV0@@Z
??4CComPlusMethod@@QAEAAV0@ABV0@@Z
??4CComPlusObject@@QAEAAV0@ABV0@@Z
??4CComPlusTypelib@@QAEAAV0@ABV0@@Z
??_7CComPlusComponent@@6B@
??_7CComPlusInterface@@6B@
??_7CComPlusMethod@@6B@
??_7CComPlusObject@@6B@
?GetITypeLib@CComPlusTypelib@@QAEPAUITypeLib@@XZ
CGMIsAdministrator
COMPlusUninstallActionW
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
FindAssemblyModulesW
ManagedRequestW
QueryUserDllW
RegDBBackup
RegDBRestore
RunMTSToCom
StartMTSTOCOM
SysprepComplus

Sections

.text
Size: 104KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e48fa66782aff140e0699908053dc91a

Headers

File Characteristics

Imports

oleaut32

user32

shell32

advapi32

ole32

shlwapi

kernel32

userenv

ws2_32

msvcrt

Exports

Exports

Sections

.text Size: 104KB - Virtual size: 102KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 104KB - Virtual size: 102KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB