Ghost32[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Ghost32.exe
Size

3.8MB
MD5

bd62fca92560673743f63c5a834ba78c
SHA1

2a8c9aea82c356916d0032288ea39daeb8d64b74
SHA256

a49803fab016100e3cc1a5b770de9f250b7703f2446f9970c6fab487ca096d45
SHA512

e6767b553a2347cc1cca95b2af76f915a4e2487a148516c2fe83d36a77d97c7bb5189b07a8fcc356fa9eb60048fcbd8ff89f12b0765b02ab39549c0deebb79ba
SSDEEP

49152:25vQcg3Iuu/j0hpRSBsaG/tAe7skDtzAKVTY02rpG++KKh/tzy4wulTrdT4dLiBy:sQW/ERvj/tAirAKVBood/sSMLR

Score

1^/10

Malware Config

Signatures

Files

Ghost32.exe
.exe windows x86

b48ea81e7a468e5327f0819e4945b27d

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

31/10/2007, 00:00

Not After

24/11/2010, 23:59

Subject

CN=Symantec Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Symantec Research Labs,O=Symantec Corporation,L=Santa Monica,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

53:a4:96:c0:1a:1d:43:32:53:c9:af:18:17:ed:53:cc:85:ce:56:dc
Signer

Actual PE Digest

53:a4:96:c0:1a:1d:43:32:53:c9:af:18:17:ed:53:cc:85:ce:56:dc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

socket
bind
connect
gethostname
gethostbyname
inet_ntoa
WSACloseEvent
WSAAddressToStringA
WSAStartup
WSACreateEvent
WSASend
WSAWaitForMultipleEvents
WSAEnumNetworkEvents
htonl
accept
recv
WSASetLastError
recvfrom
WSACleanup
sendto
setsockopt
WSASocketA
getsockopt
send
ntohl
WSASendTo
WSARecvFrom
WSARecv
WSAIoctl
getsockname
listen
htons
inet_addr
closesocket
WSAEventSelect
WSAGetLastError
ioctlsocket
shutdown

imm32

ImmDisableIME

imagehlp

ImageGetCertificateHeader
ImageRemoveCertificate

kernel32

InterlockedDecrement
VirtualLock
SetProcessWorkingSetSize
GetProcessWorkingSetSize
GetCurrentProcess
VirtualUnlock
VirtualQuery
GetSystemInfo
DeviceIoControl
GetLastError
SetFilePointer
SetLastError
GetFileSize
SetEndOfFile
CreateFileW
ReadFile
WriteFile
GetOverlappedResult
GetProcAddress
GetModuleHandleA
CreateEventA
WaitForSingleObject
SetErrorMode
FormatMessageA
LoadLibraryA
CreateThread
GetCurrentProcessId
GetCurrentThreadId
GetDriveTypeA
RaiseException
SetUnhandledExceptionFilter
Sleep
GetVersionExA
GlobalMemoryStatus
FreeConsole
FreeLibrary
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetCurrentThread
IsBadWritePtr
GetThreadContext
SetEvent
ResetEvent
VirtualFree
VirtualAlloc
DefineDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
DeleteCriticalSection
LoadLibraryW
GetDriveTypeW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
GetFileAttributesA
GetDiskFreeSpaceA
CreateFileA
DeleteFileA
RemoveDirectoryA
MoveFileA
GetBinaryTypeA
GetFileInformationByHandle
GetVolumeInformationA
GetFullPathNameA
GetDiskFreeSpaceW
FindFirstFileA
SetFileTime
GetFileAttributesW
SetFileAttributesA
LocalFree
LocalAlloc
BackupSeek
BackupRead
DebugBreak
InitializeCriticalSectionAndSpinCount
IsDebuggerPresent
GetStdHandle
ResumeThread
GetTickCount
CreateEventW
MultiByteToWideChar
WideCharToMultiByte
GetStringTypeA
VirtualProtectEx
GetVersionExW
GetLocalTime
GetSystemTime
GetLocaleInfoW
IsValidCodePage
IsDBCSLeadByteEx
GetOEMCP
GetConsoleCP
GetConsoleOutputCP
GetACP
SystemTimeToFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
GetSystemTimeAsFileTime
GetEnvironmentVariableW
InterlockedIncrement
InterlockedCompareExchange
InterlockedExchange
TerminateProcess
UnhandledExceptionFilter
RtlUnwind
ExitProcess
GetTimeFormatA
GetDateFormatA
SetConsoleCtrlHandler
GetCommandLineA
HeapFree
HeapAlloc
GetProcessHeap
ExitThread
SetHandleCount
GetFileType
GetStartupInfoA
LCMapStringA
LCMapStringW
GetCPInfo
GetStringTypeW
GetTimeZoneInformation
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentDirectoryA
GetConsoleMode
FlushFileBuffers
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
SetStdHandle
WriteConsoleA
WriteConsoleW
CompareStringA
CompareStringW
SetEnvironmentVariableA
CloseHandle
GetLocaleInfoA
GetModuleFileNameA
FindNextFileA
FindClose
GetLogicalDrives
GetLogicalDriveStringsA
ReadProcessMemory
ReadConsoleInputA
SetConsoleMode
CreateDirectoryA

rpcrt4

UuidCreate

user32

GetDC
SetWindowTextW
ScreenToClient
GetCursorPos
FindWindowExW
ToAscii
PeekMessageA
TranslateMessage
DispatchMessageA
ShowWindow
GetDesktopWindow
ReleaseDC
KillTimer
CreateWindowExA
SetTimer
UnregisterClassA
RegisterDeviceNotificationA
RegisterClassA
DestroyWindow
DefWindowProcA
ExitWindowsEx
GetWindowRect
SetWindowPos
AdjustWindowRect
GetUpdateRect
ValidateRect
GetFocus
GetKeyboardState
SetFocus
LoadCursorA
SetCursor
GetKeyState

gdi32

DeleteObject
CreateSolidBrush
GetPixel
StretchDIBits
CreatePalette
SelectPalette
RealizePalette
SelectObject

advapi32

CreateServiceA
StartServiceA
OpenSCManagerA
OpenServiceA
DeleteService
RegOpenKeyA
LookupPrivilegeValueW
OpenSCManagerW
QueryServiceStatus
ControlService
GetFileSecurityW
SetFileSecurityW
RegSetValueExW
RegCreateKeyExW
RegEnumValueA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteValueA
RegSetValueExA
RegDeleteKeyA
RegCreateKeyExA
RegUnLoadKeyA
RegLoadKeyA
RegEnumValueW
RegEnumKeyExW
OpenServiceW
RegCloseKey
RegSetKeySecurity
RegGetKeySecurity
RegUnLoadKeyW
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegQueryValueExA
RegOpenKeyExA
RegQueryValueExW
StartServiceW
CloseServiceHandle
RegLoadKeyW
RegDeleteValueW
RegDeleteKeyW
RegQueryInfoKeyW

ole32

CoInitializeSecurity
CoCreateInstance
OleRun
CoTaskMemFree
CoUninitialize
CoInitialize

oleaut32

SysAllocString
SysFreeString

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA

Sections

.text
Size: 2.7MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 820KB - Virtual size: 817KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 256KB - Virtual size: 669KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b48ea81e7a468e5327f0819e4945b27d

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08Certificate

Extended Key Usages

Key Usages

53:a4:96:c0:1a:1d:43:32:53:c9:af:18:17:ed:53:cc:85:ce:56:dcSigner

Headers

File Characteristics

Imports

ws2_32

imm32

imagehlp

kernel32

rpcrt4

user32

gdi32

advapi32

ole32

oleaut32

version

Sections

.text Size: 2.7MB - Virtual size: 2.7MB

.rdata Size: 820KB - Virtual size: 817KB

.data Size: 256KB - Virtual size: 669KB

.rsrc Size: 12KB - Virtual size: 11KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

53:a4:96:c0:1a:1d:43:32:53:c9:af:18:17:ed:53:cc:85:ce:56:dc
Signer

.text
Size: 2.7MB - Virtual size: 2.7MB

.rdata
Size: 820KB - Virtual size: 817KB

.data
Size: 256KB - Virtual size: 669KB

.rsrc
Size: 12KB - Virtual size: 11KB