gh0strat | 4972-135-0x0000000010000000-0x0000000010010000-memory[.]dmp

Sharing

Copy URL Twitter E-mail

General

Target

4972-135-0x0000000010000000-0x0000000010010000-memory.dmp
Size

64KB
MD5

aff04413bbfa17d4effc99984c8f6c5c
SHA1

74ecee016f57c81a663bef3adfed88a1f5329ce1
SHA256

95ce34ddd123a5fb6bf6a8582e2133324910bf53a18375c585b0333529005547
SHA512

8e4f1d8f3020bb49a1eaba1052229cddb2378f552ee2bfc81fc3f6f3e393f2c6394ad6d12732e458c683c192c6d7f0079f438ab3f98ff5193a0ecfbce900f994
SSDEEP

1536:bicV9vfa4gmiD7KKb+qqnu3/++ykvz5K28:LfakiD7xb+qqnuP++ye5K1

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

3005.qmananan.com

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

4972-135-0x0000000010000000-0x0000000010010000-memory.dmp
.dll windows x86

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcatA
CreateProcessA
ExpandEnvironmentStringsA
lstrcpyA
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
ExitProcess
GetModuleFileNameA
Process32Next
TerminateProcess
OpenProcess
Process32First
TerminateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
DeleteFileA
GetTickCount
LocalSize
LocalAlloc
CreateThread
GetComputerNameA
GetDiskFreeSpaceExA
GetLocalTime
GlobalMemoryStatusEx
ReadFile
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetSystemInfo
lstrcmpiA
LoadLibraryW
WinExec
GetFileAttributesA
CreateDirectoryA
ReleaseMutex
CreateMutexA
MoveFileExA
MoveFileA
SetFileAttributesA
CopyFileA
GetCurrentThreadId
OutputDebugStringA
GetSystemDirectoryA
GetFileSize
SetFilePointer
lstrlenA
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
GlobalAlloc
GetLastError
LocalFree
SetLastError
CreateFileA
DeviceIoControl
WriteFile
CloseHandle
Sleep
GetVersion
GetCurrentProcess
FindFirstFileA
FindNextFileA
GlobalLock
GlobalUnlock
VirtualAlloc
GetDriveTypeA
VirtualFree

user32

OpenClipboard
SetClipboardData
EmptyClipboard
wsprintfA
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
GetClipboardData
CloseClipboard
ExitWindowsEx
IsWindowVisible
GetInputState
PostThreadMessageA
GetMessageA
GetLastInputInfo
GetSystemMetrics
EnumWindows
SendMessageA
MessageBoxA

advapi32

ClearEventLogA
CloseEventLog
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
DeleteService
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegQueryValueA
RegOpenKeyExA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
SetServiceStatus
RegisterServiceCtrlHandlerA
RegSetValueExA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
OpenEventLogA

shell32

SHChangeNotify
SHGetSpecialFolderPathA
ShellExecuteExA

ole32

CoInitialize
CoCreateGuid
CoUninitialize

ws2_32

recv
getsockname
send
WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
select
gethostname
closesocket

msvcrt

??1type_info@@UAE@XZ
_initterm
_beginthreadex
_except_handler3
strncmp
_adjust_fdiv
_strcmpi
_strupr
_stricmp
_snprintf
strcspn
strncpy
atoi
_access
strrchr
malloc
free
realloc
sprintf
strstr
_CxxThrowException
??2@YAPAXI@Z
exit
__CxxFrameHandler
_ftol
??3@YAXPAX@Z

setupapi

SetupDiEnumDeviceInfo
SetupDiCallClassInstaller
SetupDiSetClassInstallParamsA
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA

iphlpapi

GetIfTable

urlmon

URLDownloadToFileA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

fuckyou
fuckyou1

Sections

.text
Size: 36KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

ws2_32

msvcrt

setupapi

iphlpapi

urlmon

wtsapi32

Exports

Exports

Sections

.text Size: 36KB - Virtual size: 256.0MB

.rdata Size: 8KB - Virtual size: 256.0MB

.data Size: 8KB - Virtual size: 256.0MB

.reloc Size: 4KB - Virtual size: 256.1MB

.text
Size: 36KB - Virtual size: 256.0MB

.rdata
Size: 8KB - Virtual size: 256.0MB

.data
Size: 8KB - Virtual size: 256.0MB

.reloc
Size: 4KB - Virtual size: 256.1MB