gh0strat | office[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

office.zip
Size

27KB
MD5

3ad71ba2b58df00458bd48841a586d9c
SHA1

6082fe7dacad5b0fac738098838a7f11d7fec1e2
SHA256

7251ef87b112e2f17baa36800cbe6269d6c87c53eb0ca6cf632ee95bbdd27944
SHA512

cbd996a9088d5e7aa359af11eb4062932df3e749653b97178e42f9f57bb2b1948c62a1f6a6d75d53454f5543af0429b5026b177bc91c97cd07c60dcef7611c83
SSDEEP

768:+ky740EAE0tVPdLD9iahEuNPQ4+O3myBgET97Z3:+8SxV7PwO/5ZZ

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
static1/unpack001/office.exe	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/office.exe

Files

office.zip
.zip
office.exe
.exe windows x86

c15ba724d99c1fa1f63c8315010543b6

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
lstrcpyA
TerminateThread
lstrlenA
FreeLibrary
GetProcAddress
LoadLibraryW
GetVersionExA
GetTickCount
GetLocalTime
WritePrivateProfileStringA
GetSystemDirectoryA
CancelIo
GetLastError
LoadLibraryA
WriteFile
HeapAlloc
HeapFree
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
GetPrivateProfileStringA
VirtualFree
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
GetOEMCP
GetACP
GetCPInfo
IsBadCodePtr
IsBadReadPtr
InterlockedIncrement
InterlockedDecrement
GetFileType
RtlUnwind
RaiseException
CreateThread
GetCurrentThreadId
TlsSetValue
TlsGetValue
ExitThread
HeapReAlloc
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
TlsAlloc
SetLastError
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetUnhandledExceptionFilter
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsBadWritePtr
GetModuleFileNameA
GetEnvironmentVariableA
HeapDestroy
HeapCreate
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle

user32

wsprintfA

advapi32

RegOpenKeyA
RegQueryValueExA
RegCloseKey

ole32

CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

VariantInit
VariantClear

ws2_32

recv
socket
gethostbyname
htons
select
setsockopt
WSAIoctl
WSACleanup
WSAStartup
closesocket
send
gethostname
connect
getsockname

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

c15ba724d99c1fa1f63c8315010543b6

Headers

File Characteristics

Imports

kernel32

user32

advapi32

ole32

oleaut32

ws2_32

Sections

.text Size: 36KB - Virtual size: 35KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 16KB - Virtual size: 14KB

.text
Size: 36KB - Virtual size: 35KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 16KB - Virtual size: 14KB