gh0strat | winsetup[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

winsetup.exe
Size

287KB
MD5

77754f75888b235231a26cc363ba1bc5
SHA1

6eb136f17a62ffc3038e485ad209b21c794dc2a3
SHA256

78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca
SHA512

73111a577ee3377f9f519c2b3ee8ebab00f72bc6c9de33e45e50c413fa37e7b2b6182dc8a0b2e6901bfe8e380465e12236eda307a2f49c351387f431d72b51ea
SSDEEP

6144:1xEDp/PY3+WgP0LlZW/Rdki1OkbXxs0ddp8PIQO:1xI/PY/geqf7jOF

Score

10^/10

vmprotect gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

winsetup.exe
.exe windows x86

1423675632cb4d478eba3debd725c59f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalAlloc
ReadFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
OpenEventA
CreateMutexA
CreateDirectoryA
CopyFileA
DefineDosDeviceA
LocalFree
MultiByteToWideChar
WideCharToMultiByte
lstrcpyW
LocalReAlloc
LocalSize
GlobalMemoryStatusEx
WinExec
lstrcmpiA
Module32Next
Module32First
CreateRemoteThread
GetModuleHandleA
OpenProcess
FreeLibrary
GetDiskFreeSpaceExA
GetDriveTypeA
GetLocalTime
CreateFileA
GetFileSize
SetFilePointer
lstrlenA
WriteFile
GetTempPathA
GetTickCount
MoveFileExA
SetFileAttributesA
GetSystemDirectoryA
DeleteFileA
GetModuleFileNameA
GetShortPathNameA
GetEnvironmentVariableA
GetCurrentProcess
SetPriorityClass
GetCurrentThread
SetThreadPriority
ResumeThread
CreateThread
CreateToolhelp32Snapshot
Process32First
Process32Next
TerminateThread
lstrcpyA
GetWindowsDirectoryA
lstrcatA
GetStartupInfoA
CreateProcessA
GetFileAttributesA
GetProcAddress
GetLastError
MoveFileA
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
Sleep
LoadLibraryA
GetCurrentThreadId
GetModuleFileNameW
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

user32

SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
GetMessageA
PostThreadMessageA
CloseClipboard
RegisterClassA
LoadIconA
GetWindowThreadProcessId
IsWindowVisible
CloseDesktop
SetThreadDesktop
IsWindow
CreateWindowExA
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
mouse_event
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
keybd_event
SendMessageA
SystemParametersInfoA
BlockInput
DestroyCursor
wsprintfA
LoadCursorA
GetKeyState
GetAsyncKeyState
GetForegroundWindow
EnumWindows
GetWindowTextA
GetInputState
MessageBoxA

gdi32

GetDIBits
BitBlt
GetStockObject
DeleteObject
SelectObject
CreateDIBSection
DeleteDC
CreateCompatibleBitmap
CreateCompatibleDC

advapi32

OpenSCManagerA
OpenProcessToken
GetTokenInformation
LookupAccountSidA
GetUserNameA
AbortSystemShutdownA
QueryServiceStatus
ControlService
RegDeleteKeyA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegCloseKey
RegSetValueExA
RegCreateKeyA
DeleteService
OpenServiceA
RegQueryValueExA
RegOpenKeyA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
RegOpenKeyExA

shell32

SHGetSpecialFolderPathA
ShellExecuteA

msvcrt

_onexit
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
strlen
??0exception@@QAE@ABV0@@Z
_strcmpi
_strnicmp
_strupr
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
_iob
memcpy
__dllonexit
??1type_info@@UAE@XZ
calloc
_snprintf
_beginthreadex
atol
_mbscmp
_mbsstr
wcscpy
wcstombs
wcslen
mbstowcs
_errno
strncpy
strncmp
rand
atoi
realloc
strncat
exit
strrchr
sprintf
_except_handler3
free
malloc
strchr
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
_CxxThrowException
memmove
ceil
_ftol
strstr

ws2_32

gethostname
WSAStartup
ioctlsocket
__WSAFDIsSet
recvfrom
sendto
listen
accept
getpeername
bind
WSACleanup
WSAIoctl
ntohs
inet_addr
getsockname
inet_ntoa
send
closesocket
recv
select
socket
setsockopt
connect
htons
gethostbyname

urlmon

URLDownloadToFileA

wininet

InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA

avicap32

capGetDriverDescriptionA

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameEnd
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree

iphlpapi

GetIfTable

netapi32

NetUserGetInfo
NetUserDel
NetUserSetInfo
NetUserGetLocalGroups
NetApiBufferFree
NetUserEnum
NetLocalGroupAddMembers
NetUserAdd

wtsapi32

WTSQuerySessionInformationW
WTSEnumerateSessionsA
WTSFreeMemory
WTSQuerySessionInformationA
WTSDisconnectSession
WTSLogoffSession

Exports

Exports

��e�G�]��&W󓘆p��ǧ ��=5�n�A>�]1ᬄF�*��[��8��d\��Z��Η�'��b�$�ޞ&��Z>��X��P��]��U�X�+��Aҭc%xe��k��!.r)�k��&��<�]��.�l��x�[:7v@y�H��4��+F��6;e��ϵ��-�6�t�Kw�ܙ��Y��}i��?��Ip��Y��:��*,��B�� cϻ��k�ZJF�Ev��n.��Ou��&��@� ��E��ܠT��7!3 7��ć~'e��Ď;&�by�8�u^xr��}=�V��w&�l'��4VI��;k��\��TVu5�}��]�DA�d��"�NE;MsM��@��dY+�|��Lk�p߅�PV!��a��h�)� �Lۿ�'�@7�z�Fl�,@"�FEҖ��̃Z5W��TI��,uU-2��MWə�a��TC�m��[?�o)q�%_�5r*�Z�2�TP��t�c�4�X4�'v��ő;��7�s��j��F-X��$��~�:��k��,�cbeҦ0b��*^��)�]R�K仱2�߹g� N��^��h�M��dFo� K{�U�4"C[A�mXl��[@6�2�|�1��9R� �z#�߹��N@�� uq��Pﱮ��'6�C��8s�ȿ�� 6^�*�Lp��V� �6�8)��B��Ĵ�P��DST��C]#o��`g=�Q��r��f�e��,�J�-;��X��r�*Q'̠hyQ��yo�|�.ZȠ�{vz��豄�$}��a�ˣ��;��f?�\X��(]b`�A�Ih�ų�0^�Tj��N$�q߭B��rn��*��?�]I9��m�/'�ĠȌ?�50�c�o��D@��M*Y��/k��͠��w��a��sW<�w��>RF��P�T��p�a�M+�Y��09�Sug�E��d�pmf~��s%;��Cg��;��-�K�C��*n�A��#r��UD6m� ��̉J�6&�8�0w�^:��t��P$��"n��J��$ɽ��m��clYA�W%��ߴL!�X�J8��H��Z�ۭD�f�8g��>�-A6/#�a��N�$Z[��eY��YG�3��q��-N��-�t9�w{��%��3��Qp��;��E��}��f[��8��a��T�y��ڸ`ifm��-�Ih�W7Hn.�}N�"N*/�G��\*D��L��?�]Y�#�H��ሟ|��_��_�&աv�[�J6�T G �y6 �5\��jΰ��]]x�o��V��q3%��w#��K�d�f�#�([�z��?�G��;�έw^ToDR��9��c(�KZ��=�bqm'4�L��{� C�20��O`�zKK͗*mR��~>�� q�h�Y��qx��{�PJ��>�R�;�R�t��V��ؼ�t<�E1��r��7�im#��.��,� ~R��݊z�wWEG�n��H��X��1��>X v�K�c>6_f$^��ݵ4��n�a�i�ܓ�t])��]�3�`��F��"{�lj<�A�tQ� im�闸�4��Ui�V'��s~F�M��u��U-(��m��E��ڮyV�Z9��M��B�(��a��P�Ix��&�l(��C�`|��x��#&��oZ��'��ٌve��хU`Ž�0h�4L�5��Z<;C?K{H(��i��C�2��`=��YJԀ�@��ԋ��L01Ո�&z��+,Ǜg1ŕ�1��=�z7 J�!��Mf��o�wI��[a RP�=!��F��pՌ �G��w+o#A�u� 2pz��$ރ��HO]ӪW ��5v�q�{�ș�p� C�:�.�}:��g��vf�^��Xw�{ �^>�)�J��U��F��B��H�k"��w]/�Q�a�(��Ɓǯh��9;t��TPkA��V�Y��t�V'��"o[�~~�6��μ��ɘT&�Qo Ӫ~��3�v��һ��e�;B Kb�r<5^3��GӸ�T^U��s�N֗��2�Q�J1A�G2�=�KI�}�%� HLܛ�٦�k}o�,�~N��l�t�杴�4�M��R�'��W�x��$cS��#]�I7��ki��ܻ(��d��U��1Ͳ��@��X��q��f�ǪMcS�%)��#��8��*0��z!t�|�6��\��6H�^O��*��uV냞��H��@'}Ӷ��t��IU��)ھ��)�3n,E��q�W!r�x�\ ��%��x��bѕ%�!d�3؄�� R�d� a��yُ�j`��;/��g�z��ʤ��:��tJA��W�� ^q� +�w�|�6�.0��n�ܦ��}��MB.8��]_��e3��.��^I �-��b��)�$��s_�J�j�*��;̷GIB��6��s�/�*F�c��U��F��D�kM��5a��-��V�s7@��<�U��s �-ѻ�QG�a�%�Xx$��z��ax�E�t#��N��e�)�\h�s��D��қW�6=��mk!��3�(�hc��>��3�j�|^M�F~��cDw�� O��4�=� ��Hg��5~�eİ��-!��E�!��O��' 4[�dN��9�0N�ǯ�ـ��]�.��E�H:^J� L#M��V��1�9�#(��Ti�$�{�`p�g�z�OO/�tY^m��/"��TE0��Фi ��ý k��o�F��pR��M��^��Z�.��F/}�C��W��~�xhR��.H�Ys��9�n�%@�v��J �`��,0�Ȧ,�b}�9��/}�Ϊ�

Sections

.text
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 105KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

1423675632cb4d478eba3debd725c59f

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcrt

ws2_32

urlmon

wininet

avicap32

msvfw32

iphlpapi

netapi32

wtsapi32

Exports

Exports

Sections

.text Size: 104KB - Virtual size: 103KB

.rdata Size: 14KB - Virtual size: 13KB

.data Size: 12KB - Virtual size: 26KB

.vmp0 Size: 105KB - Virtual size: 105KB

.tls Size: 512B - Virtual size: 24B

.vmp1 Size: 50KB - Virtual size: 49KB

.text
Size: 104KB - Virtual size: 103KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 12KB - Virtual size: 26KB

.vmp0
Size: 105KB - Virtual size: 105KB

.tls
Size: 512B - Virtual size: 24B

.vmp1
Size: 50KB - Virtual size: 49KB