gh0strat | 1704-55-0x0000000010000000-0x0000000010010000-memory[.]dmp

Sharing

Copy URL Twitter E-mail

General

Target

1704-55-0x0000000010000000-0x0000000010010000-memory.dmp
Size

64KB
MD5

5cd2a2ac6a3e1241f21ee753bd6975bc
SHA1

5a0f9b95a3af580d15e4bcf9bdbfb7a677e1455a
SHA256

45457c77061a415fec1d0ce8dbc8d265aa26a3a18fdba43bccb939133b5bc5eb
SHA512

209eae78629134827159c13b923633550be9d445f10e5a25654835738bacb6c568f3c80fd3ec69ef1fffeab443bb05fc5260f2991fbece0a030b6c401f42d2c7
SSDEEP

1536:bicV9vfa4gmiD7KKb+qqnu3A+ykvz5K28:LfakiD7xb+qqnuQ+ye5K1

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

3005.qmananan.com

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Files

1704-55-0x0000000010000000-0x0000000010010000-memory.dmp
.dll windows x86

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcatA
CreateProcessA
ExpandEnvironmentStringsA
lstrcpyA
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
ExitProcess
GetModuleFileNameA
Process32Next
TerminateProcess
OpenProcess
Process32First
TerminateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
DeleteFileA
GetTickCount
LocalSize
LocalAlloc
CreateThread
GetComputerNameA
GetDiskFreeSpaceExA
GetLocalTime
GlobalMemoryStatusEx
ReadFile
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetSystemInfo
lstrcmpiA
LoadLibraryW
WinExec
GetFileAttributesA
CreateDirectoryA
ReleaseMutex
CreateMutexA
MoveFileExA
MoveFileA
SetFileAttributesA
CopyFileA
GetCurrentThreadId
OutputDebugStringA
GetSystemDirectoryA
GetFileSize
SetFilePointer
lstrlenA
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
GlobalAlloc
GetLastError
LocalFree
SetLastError
CreateFileA
DeviceIoControl
WriteFile
CloseHandle
Sleep
GetVersion
GetCurrentProcess
FindFirstFileA
FindNextFileA
GlobalLock
GlobalUnlock
VirtualAlloc
GetDriveTypeA
VirtualFree

user32

OpenClipboard
SetClipboardData
EmptyClipboard
wsprintfA
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
GetClipboardData
CloseClipboard
ExitWindowsEx
IsWindowVisible
GetInputState
PostThreadMessageA
GetMessageA
GetLastInputInfo
GetSystemMetrics
EnumWindows
SendMessageA
MessageBoxA

advapi32

ClearEventLogA
CloseEventLog
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
DeleteService
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegQueryValueA
RegOpenKeyExA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
SetServiceStatus
RegisterServiceCtrlHandlerA
RegSetValueExA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
OpenEventLogA

shell32

SHChangeNotify
SHGetSpecialFolderPathA
ShellExecuteExA

ole32

CoInitialize
CoCreateGuid
CoUninitialize

ws2_32

recv
getsockname
send
WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
select
gethostname
closesocket

msvcrt

??1type_info@@UAE@XZ
_initterm
_beginthreadex
_except_handler3
strncmp
_adjust_fdiv
_strcmpi
_strupr
_stricmp
_snprintf
strcspn
strncpy
atoi
_access
strrchr
malloc
free
realloc
sprintf
strstr
_CxxThrowException
??2@YAPAXI@Z
exit
__CxxFrameHandler
_ftol
??3@YAXPAX@Z

setupapi

SetupDiEnumDeviceInfo
SetupDiCallClassInstaller
SetupDiSetClassInstallParamsA
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA

iphlpapi

GetIfTable

urlmon

URLDownloadToFileA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

fuckyou
fuckyou1

Sections

.text
Size: 36KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

55cc24a9cf98c16eeef7d7030b8008b1

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

ws2_32

msvcrt

setupapi

iphlpapi

urlmon

wtsapi32

Exports

Exports

Sections

.text Size: 36KB - Virtual size: 256.0MB

.rdata Size: 8KB - Virtual size: 256.0MB

.data Size: 8KB - Virtual size: 256.0MB

.reloc Size: 4KB - Virtual size: 256.1MB

.text
Size: 36KB - Virtual size: 256.0MB

.rdata
Size: 8KB - Virtual size: 256.0MB

.data
Size: 8KB - Virtual size: 256.0MB

.reloc
Size: 4KB - Virtual size: 256.1MB