gh0strat | 1948-55-0x0000000010000000-0x0000000010010000-memory[.]dmp

Sharing

Copy URL Twitter E-mail

General

Target

1948-55-0x0000000010000000-0x0000000010010000-memory.dmp
Size

64KB
MD5

f6acd26c096ba3908ca614137239bf16
SHA1

87e2361d064b3ee49e8ccf7657e67fb5f6b81db7
SHA256

0ad0c2b72901163dbf2cef2b575b81ffd1da814c9d9e5b88bddd4881c6b4e00f
SHA512

0a4dd0ab07c962330a1a472ea2c0e96ad5d0572c1f6bfa921dca949aefc9679f6cbc7b3008772085a9bf9f1d40b5bfdb2f936587cf6bccaa7b152494b207221c
SSDEEP

1536:bicV9vfa4gmiD7KKb+qqnu3h+ykvz5K28:LfakiD7xb+qqnuR+ye5K1

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

3005.qmananan.com

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

1948-55-0x0000000010000000-0x0000000010010000-memory.dmp
.dll windows x86

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcatA
CreateProcessA
ExpandEnvironmentStringsA
lstrcpyA
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
ExitProcess
GetModuleFileNameA
Process32Next
TerminateProcess
OpenProcess
Process32First
TerminateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
DeleteFileA
GetTickCount
LocalSize
LocalAlloc
CreateThread
GetComputerNameA
GetDiskFreeSpaceExA
GetLocalTime
GlobalMemoryStatusEx
ReadFile
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetSystemInfo
lstrcmpiA
LoadLibraryW
WinExec
GetFileAttributesA
CreateDirectoryA
ReleaseMutex
CreateMutexA
MoveFileExA
MoveFileA
SetFileAttributesA
CopyFileA
GetCurrentThreadId
OutputDebugStringA
GetSystemDirectoryA
GetFileSize
SetFilePointer
lstrlenA
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
GlobalAlloc
GetLastError
LocalFree
SetLastError
CreateFileA
DeviceIoControl
WriteFile
CloseHandle
Sleep
GetVersion
GetCurrentProcess
FindFirstFileA
FindNextFileA
GlobalLock
GlobalUnlock
VirtualAlloc
GetDriveTypeA
VirtualFree

user32

OpenClipboard
SetClipboardData
EmptyClipboard
wsprintfA
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
GetClipboardData
CloseClipboard
ExitWindowsEx
IsWindowVisible
GetInputState
PostThreadMessageA
GetMessageA
GetLastInputInfo
GetSystemMetrics
EnumWindows
SendMessageA
MessageBoxA

advapi32

ClearEventLogA
CloseEventLog
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
DeleteService
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegQueryValueA
RegOpenKeyExA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
SetServiceStatus
RegisterServiceCtrlHandlerA
RegSetValueExA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
OpenEventLogA

shell32

SHChangeNotify
SHGetSpecialFolderPathA
ShellExecuteExA

ole32

CoInitialize
CoCreateGuid
CoUninitialize

ws2_32

recv
getsockname
send
WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
select
gethostname
closesocket

msvcrt

??1type_info@@UAE@XZ
_initterm
_beginthreadex
_except_handler3
strncmp
_adjust_fdiv
_strcmpi
_strupr
_stricmp
_snprintf
strcspn
strncpy
atoi
_access
strrchr
malloc
free
realloc
sprintf
strstr
_CxxThrowException
??2@YAPAXI@Z
exit
__CxxFrameHandler
_ftol
??3@YAXPAX@Z

setupapi

SetupDiEnumDeviceInfo
SetupDiCallClassInstaller
SetupDiSetClassInstallParamsA
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA

iphlpapi

GetIfTable

urlmon

URLDownloadToFileA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

fuckyou
fuckyou1

Sections

.text
Size: 36KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

ws2_32

msvcrt

setupapi

iphlpapi

urlmon

wtsapi32

Exports

Exports

Sections

.text Size: 36KB - Virtual size: 256.0MB

.rdata Size: 8KB - Virtual size: 256.0MB

.data Size: 8KB - Virtual size: 256.0MB

.reloc Size: 4KB - Virtual size: 256.1MB

.text
Size: 36KB - Virtual size: 256.0MB

.rdata
Size: 8KB - Virtual size: 256.0MB

.data
Size: 8KB - Virtual size: 256.0MB

.reloc
Size: 4KB - Virtual size: 256.1MB