gh0strat | 1424-55-0x0000000010000000-0x0000000010010000-memory[.]dmp

Sharing

Copy URL Twitter E-mail

General

Target

1424-55-0x0000000010000000-0x0000000010010000-memory.dmp
Size

64KB
MD5

18009c85c24250555b9ea1164404b9c7
SHA1

cec3c3620f51eea45e7b194857c8028bf5742391
SHA256

7baed1fcac00aa2d0b28f67fbdae883b0155fb2749bffdafbddaaa0c2042a1e4
SHA512

eb8f020897a3b3017ade51dd4c643988f0be63879778ab7aac184ecf86a69cf76173a499977dfffd19b615aa90e75726ba047ddf350f62895e5a8a53eddec2bf
SSDEEP

1536:bicV9vfa4gmiD7KKb+qqnu3/+ykqz5K28:LfakiD7xb+qqnuv+yn5K1

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

30.cmananan.com

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

1424-55-0x0000000010000000-0x0000000010010000-memory.dmp
.dll windows x86

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcatA
CreateProcessA
ExpandEnvironmentStringsA
lstrcpyA
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
ExitProcess
GetModuleFileNameA
Process32Next
TerminateProcess
OpenProcess
Process32First
TerminateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
DeleteFileA
GetTickCount
LocalSize
LocalAlloc
CreateThread
GetComputerNameA
GetDiskFreeSpaceExA
GetLocalTime
GlobalMemoryStatusEx
ReadFile
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetSystemInfo
lstrcmpiA
LoadLibraryW
WinExec
GetFileAttributesA
CreateDirectoryA
ReleaseMutex
CreateMutexA
MoveFileExA
MoveFileA
SetFileAttributesA
CopyFileA
GetCurrentThreadId
OutputDebugStringA
GetSystemDirectoryA
GetFileSize
SetFilePointer
lstrlenA
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
GlobalAlloc
GetLastError
LocalFree
SetLastError
CreateFileA
DeviceIoControl
WriteFile
CloseHandle
Sleep
GetVersion
GetCurrentProcess
FindFirstFileA
FindNextFileA
GlobalLock
GlobalUnlock
VirtualAlloc
GetDriveTypeA
VirtualFree

user32

OpenClipboard
SetClipboardData
EmptyClipboard
wsprintfA
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
GetClipboardData
CloseClipboard
ExitWindowsEx
IsWindowVisible
GetInputState
PostThreadMessageA
GetMessageA
GetLastInputInfo
GetSystemMetrics
EnumWindows
SendMessageA
MessageBoxA

advapi32

ClearEventLogA
CloseEventLog
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
DeleteService
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegQueryValueA
RegOpenKeyExA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
SetServiceStatus
RegisterServiceCtrlHandlerA
RegSetValueExA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
OpenEventLogA

shell32

SHChangeNotify
SHGetSpecialFolderPathA
ShellExecuteExA

ole32

CoInitialize
CoCreateGuid
CoUninitialize

ws2_32

recv
getsockname
send
WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
select
gethostname
closesocket

msvcrt

??1type_info@@UAE@XZ
_initterm
_beginthreadex
_except_handler3
strncmp
_adjust_fdiv
_strcmpi
_strupr
_stricmp
_snprintf
strcspn
strncpy
atoi
_access
strrchr
malloc
free
realloc
sprintf
strstr
_CxxThrowException
??2@YAPAXI@Z
exit
__CxxFrameHandler
_ftol
??3@YAXPAX@Z

setupapi

SetupDiEnumDeviceInfo
SetupDiCallClassInstaller
SetupDiSetClassInstallParamsA
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA

iphlpapi

GetIfTable

urlmon

URLDownloadToFileA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

fuckyou
fuckyou1

Sections

.text
Size: 36KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

ws2_32

msvcrt

setupapi

iphlpapi

urlmon

wtsapi32

Exports

Exports

Sections

.text Size: 36KB - Virtual size: 256.0MB

.rdata Size: 8KB - Virtual size: 256.0MB

.data Size: 8KB - Virtual size: 256.0MB

.reloc Size: 4KB - Virtual size: 256.1MB

.text
Size: 36KB - Virtual size: 256.0MB

.rdata
Size: 8KB - Virtual size: 256.0MB

.data
Size: 8KB - Virtual size: 256.0MB

.reloc
Size: 4KB - Virtual size: 256.1MB