ghost3211[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

ghost3211.exe
Size

3.8MB
MD5

e9b4161c2ca750998d4cd796ac4cda91
SHA1

a8e4ddf905ea771b79368a2dd72c089c6f603eac
SHA256

a2204d1b13a794f0088776b64dd4105a11154fc3d6e5d41c283ab6fb954f8c89
SHA512

7202a36247272630929dd6d55e9fd98335d81a160bc776e0dadb8ba1ad5cde484323a0efb4d459f7d954678512964930b1ffc368de9819c577638ab2ef226cd4
SSDEEP

49152:Rk5/2k2GCbWk3lPdEXyzLQa0ALxdBlbc94gK0Gk0sGTkN4AGTZw28MWXNaGB/J:CV2k23vH24LQ+dL20kLK38MWXNV

Score

1^/10

Malware Config

Signatures

Files

ghost3211.exe
.exe windows x86

02cbe3a4b59e6539e667e0e19f66f1fa

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

31/10/2007, 00:00

Not After

24/11/2010, 23:59

Subject

CN=Symantec Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Symantec Research Labs,O=Symantec Corporation,L=Santa Monica,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

18:21:6c:82:f5:89:20:e1:27:cc:65:78:05:41:51:71:3c:bd:38:8a
Signer

Actual PE Digest

18:21:6c:82:f5:89:20:e1:27:cc:65:78:05:41:51:71:3c:bd:38:8a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

socket
gethostname
gethostbyname
inet_ntoa
WSACloseEvent
WSACleanup
connect
WSACreateEvent
WSASend
WSAWaitForMultipleEvents
WSAEnumNetworkEvents
htonl
accept
recv
bind
WSASetLastError
recvfrom
WSAStartup
WSAAddressToStringA
WSASocketA
getsockopt
getsockname
send
ntohl
WSASendTo
WSARecvFrom
WSARecv
WSAIoctl
listen
htons
inet_addr
closesocket
WSAEventSelect
WSAGetLastError
ioctlsocket
shutdown
setsockopt
sendto

imm32

ImmDisableIME

imagehlp

ImageGetCertificateHeader
ImageRemoveCertificate

kernel32

InterlockedDecrement
VirtualLock
SetProcessWorkingSetSize
GetProcessWorkingSetSize
GetCurrentProcess
VirtualUnlock
VirtualQuery
GetSystemInfo
DeviceIoControl
GetLastError
SetFilePointer
SetLastError
GetFileSize
SetEndOfFile
CreateFileW
ReadFile
WriteFile
GetOverlappedResult
GetProcAddress
GetModuleHandleA
CreateEventA
WaitForSingleObject
SetErrorMode
FormatMessageA
LoadLibraryA
CreateThread
GetCurrentProcessId
GetCurrentThreadId
GetDriveTypeA
RaiseException
SetUnhandledExceptionFilter
Sleep
GetVersionExA
GlobalMemoryStatus
FreeConsole
FreeLibrary
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetCurrentThread
IsBadWritePtr
GetThreadContext
SetEvent
ResetEvent
VirtualFree
VirtualAlloc
DefineDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
DeleteCriticalSection
LoadLibraryW
GetDriveTypeW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
GetFileAttributesA
GetDiskFreeSpaceA
CreateDirectoryA
DeleteFileA
CreateFileA
MoveFileA
GetBinaryTypeA
GetFileInformationByHandle
GetVolumeInformationA
GetFullPathNameA
GetDiskFreeSpaceW
FindFirstFileA
SetFileTime
GetFileAttributesW
SetFileAttributesA
LocalFree
LocalAlloc
BackupSeek
BackupRead
InitializeCriticalSectionAndSpinCount
IsDebuggerPresent
DebugBreak
InterlockedIncrement
OutputDebugStringA
GetStdHandle
GetModuleHandleW
GetTickCount
LoadResource
SizeofResource
LockResource
DeleteFileW
ResumeThread
CreateEventW
MultiByteToWideChar
WideCharToMultiByte
GetStringTypeA
GetVersionExW
VirtualProtectEx
GetLocalTime
GetSystemTime
GetLocaleInfoW
IsValidCodePage
IsDBCSLeadByteEx
GetOEMCP
GetConsoleCP
GetConsoleOutputCP
GetACP
SystemTimeToFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
GetSystemTimeAsFileTime
GetEnvironmentVariableW
InterlockedCompareExchange
InterlockedExchange
TerminateProcess
UnhandledExceptionFilter
RtlUnwind
ExitProcess
GetTimeFormatA
GetDateFormatA
SetConsoleCtrlHandler
GetCommandLineA
HeapFree
HeapAlloc
GetProcessHeap
ExitThread
LCMapStringA
LCMapStringW
GetCPInfo
GetStringTypeW
GetTimeZoneInformation
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetHandleCount
GetFileType
GetStartupInfoA
GetCurrentDirectoryA
GetConsoleMode
FlushFileBuffers
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
SetStdHandle
WriteConsoleA
WriteConsoleW
CompareStringA
CompareStringW
SetEnvironmentVariableA
CloseHandle
GetLocaleInfoA
GetModuleFileNameA
FindNextFileA
FindClose
GetLogicalDrives
FindResourceW
GetLogicalDriveStringsA
ReadProcessMemory
ReadConsoleInputA
SetConsoleMode
RemoveDirectoryA

rpcrt4

UuidCreate

user32

ScreenToClient
GetCursorPos
FindWindowExW
ToAscii
PeekMessageA
TranslateMessage
DispatchMessageA
ShowWindow
GetKeyState
SetWindowTextW
RegisterClassA
DestroyWindow
DefWindowProcA
KillTimer
CreateWindowExA
SetTimer
UnregisterClassA
RegisterDeviceNotificationA
ExitWindowsEx
GetDC
GetDesktopWindow
GetWindowRect
SetWindowPos
AdjustWindowRect
GetUpdateRect
ValidateRect
GetFocus
SetFocus
LoadCursorA
SetCursor
GetKeyboardState
ReleaseDC

gdi32

DeleteObject
CreateSolidBrush
GetPixel
StretchDIBits
CreatePalette
SelectPalette
RealizePalette
SelectObject

advapi32

CreateServiceA
StartServiceA
OpenSCManagerA
OpenServiceA
DeleteService
RegOpenKeyA
LookupPrivilegeValueW
QueryServiceStatus
ControlService
GetFileSecurityW
SetFileSecurityW
RegSetValueExW
RegCreateKeyExW
RegQueryInfoKeyW
RegEnumValueA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteValueA
RegSetValueExA
RegDeleteKeyA
RegCreateKeyExA
RegUnLoadKeyA
RegLoadKeyA
RegEnumValueW
RegEnumKeyExW
OpenSCManagerW
RegCloseKey
RegSetKeySecurity
RegGetKeySecurity
RegUnLoadKeyW
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegQueryValueExW
StartServiceW
RegDeleteKeyW
CloseServiceHandle
OpenServiceW
RegLoadKeyW
RegOpenKeyExA
RegQueryValueExA
RegDeleteValueW

ole32

CoInitializeSecurity
CoUninitialize
CoCreateInstance
OleRun
CoSetProxyBlanket
CoInitialize
CoTaskMemFree
CoInitializeEx

oleaut32

SafeArrayDestroy
SafeArrayAccessData
SysAllocString
SysFreeString

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

Sections

.text
Size: 2.7MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 824KB - Virtual size: 823KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 256KB - Virtual size: 672KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mixcrt
Size: 4KB - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

02cbe3a4b59e6539e667e0e19f66f1fa

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08Certificate

Extended Key Usages

Key Usages

18:21:6c:82:f5:89:20:e1:27:cc:65:78:05:41:51:71:3c:bd:38:8aSigner

Headers

File Characteristics

Imports

ws2_32

imm32

imagehlp

kernel32

rpcrt4

user32

gdi32

advapi32

ole32

oleaut32

version

Sections

.text Size: 2.7MB - Virtual size: 2.7MB

.rdata Size: 824KB - Virtual size: 823KB

.data Size: 256KB - Virtual size: 672KB

.mixcrt Size: 4KB - Virtual size: 1B

.rsrc Size: 12KB - Virtual size: 11KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

18:21:6c:82:f5:89:20:e1:27:cc:65:78:05:41:51:71:3c:bd:38:8a
Signer

.text
Size: 2.7MB - Virtual size: 2.7MB

.rdata
Size: 824KB - Virtual size: 823KB

.data
Size: 256KB - Virtual size: 672KB

.mixcrt
Size: 4KB - Virtual size: 1B

.rsrc
Size: 12KB - Virtual size: 11KB