ghost[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

ghost.exe
Size

4.8MB
MD5

c91ce8b8a160b5692ff07732339810cf
SHA1

d872586b5c88622a35441774b84d9010e49b18da
SHA256

997f6482b974df269158e93ea849275da24841c295998a11e7d21a0b73632b66
SHA512

084b0192ce6fe492164200900b7cc43230804612b206ef1d5a891aae58daef130873a9b3a496b23355a846f2be16c1bd6e21e3b5e596f132bc9309b9e2ce4a19
SSDEEP

98304:QfFdKQaIz9KGDTR79dBT5T+A1AVApXEQ0411L4n:Gb9DhRdBT5GV1KTLK

Score

1^/10

Malware Config

Signatures

Files

ghost.exe
.exe windows x86

55e2a462546fd260504adaeddf4b3f00

Code Sign

6a:21:fe:fd:5d:b1:29:47:8c:d9:da:aa:37:0f:69:a0
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

12/10/2016, 00:00

Not After

21/10/2017, 23:59

Subject

CN=Symantec Corporation,OU=Endpoint Management Group,O=Symantec Corporation,L=Lindon,ST=Utah,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

22/07/2014, 00:00

Not After

21/07/2024, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:2d:23:cb:00:00:00:00:00:21
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:46

Not After

22/02/2021, 19:56

Subject

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

6a:21:fe:fd:5d:b1:29:47:8c:d9:da:aa:37:0f:69:a0
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

12/10/2016, 00:00

Not After

21/10/2017, 23:59

Subject

CN=Symantec Corporation,OU=Endpoint Management Group,O=Symantec Corporation,L=Lindon,ST=Utah,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

22/07/2014, 00:00

Not After

21/07/2024, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:2d:23:cb:00:00:00:00:00:21
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:46

Not After

22/02/2021, 19:56

Subject

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12/01/2016, 00:00

Not After

11/01/2031, 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

02/01/2017, 00:00

Not After

01/04/2028, 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

e6:55:b6:b7:22:ff:ba:3b:98:0e:a4:e6:4c:90:4a:3b:b1:0a:86:b0:4f:8f:40:04:33:15:4a:84:b9:b0:8d:40
Signer

Actual PE Digest

e6:55:b6:b7:22:ff:ba:3b:98:0e:a4:e6:4c:90:4a:3b:b1:0a:86:b0:4f:8f:40:04:33:15:4a:84:b9:b0:8d:40

Digest Algorithm

sha256

PE Digest Matches

true

83:eb:4c:b0:f7:5e:43:ea:6a:b8:f0:a4:83:98:4e:58:8d:2e:8d:98
Signer

Actual PE Digest

83:eb:4c:b0:f7:5e:43:ea:6a:b8:f0:a4:83:98:4e:58:8d:2e:8d:98

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

WSASocketA
ntohl
send
WSAIoctl
WSASetLastError
WSAAddressToStringA
getsockopt
getsockname
WSASendTo
WSARecvFrom
WSARecv
closesocket
getprotobyname
ioctlsocket
shutdown
setsockopt
recvfrom
sendto
inet_addr
htons
listen
htonl
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
WSASend
getservbyname
getservbyport
WSAGetLastError
recv
accept
connect
bind
WSAEventSelect
select
__WSAFDIsSet
gethostname
gethostbyname
inet_ntoa
WSACloseEvent
WSACleanup
WSAStartup
WSACreateEvent
socket

imm32

ImmDisableIME

kernel32

GlobalAlloc
SetLastError
GetProcAddress
FreeLibrary
LoadLibraryA
CreateThread
WaitForSingleObject
SetEvent
Sleep
IsDebuggerPresent
GlobalFree
UnmapViewOfFile
OpenFileMappingA
MapViewOfFile
CloseHandle
GetTickCount
GetLocaleInfoA
GetModuleFileNameA
FindClose
GetLogicalDrives
GetVersionExA
GetLogicalDriveStringsA
ReadProcessMemory
ReadConsoleInputA
SetConsoleMode
GetBinaryTypeA
CreateEventA
HeapAlloc
HeapFree
SetEnvironmentVariableA
CompareStringW
CompareStringA
VirtualLock
SetProcessWorkingSetSize
GetProcessWorkingSetSize
GetCurrentProcess
VirtualUnlock
VirtualQuery
GetSystemInfo
InterlockedDecrement
DeviceIoControl
GetLastError
SetFilePointer
GetFileSize
SetEndOfFile
CreateFileA
CreateFileW
ReadFile
WriteFile
GetOverlappedResult
GetModuleHandleA
SetErrorMode
FormatMessageA
GetCurrentProcessId
GetCurrentThreadId
GetDriveTypeA
RaiseException
SetUnhandledExceptionFilter
GlobalMemoryStatus
FreeConsole
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InterlockedIncrement
ResetEvent
GetVolumeInformationA
GetCurrentThread
InitializeCriticalSection
GetExitCodeThread
LocalFree
GlobalUnlock
GlobalLock
ExitProcess
LoadLibraryW
DebugBreak
GetExitCodeProcess
CreateProcessW
GetFileAttributesW
GetModuleFileNameW
GetModuleHandleW
GetCurrentDirectoryW
DefineDosDeviceW
DeleteVolumeMountPointW
GetVolumeNameForVolumeMountPointW
SetVolumeMountPointW
VirtualFree
VirtualAlloc
OutputDebugStringA
GetDriveTypeW
GetVolumePathNameW
ExpandEnvironmentStringsW
GetBinaryTypeW
GetFileInformationByHandle
CreateDirectoryW
DeleteFileW
RemoveDirectoryW
MoveFileW
GetDiskFreeSpaceW
GetDiskFreeSpaceExW
GetVolumeInformationW
GetFullPathNameW
FindFirstFileW
SetFileTime
SetFileAttributesW
LocalAlloc
BackupSeek
BackupRead
FindNextFileW
QueryPerformanceCounter
QueryPerformanceFrequency
SystemTimeToFileTime
GetSystemTime
GetProcessHeap
GetProcessTimes
GetThreadTimes
GetStdHandle
FindResourceA
LoadResource
FindResourceExA
MultiByteToWideChar
LockResource
CreateEventW
ResumeThread
FormatMessageW
GetFileAttributesExA
GetVersionExW
GetFileAttributesExW
GetThreadContext
FindResourceW
SizeofResource
WideCharToMultiByte
GetStringTypeA
GetSystemTimeAsFileTime
GetLocalTime
FileTimeToLocalFileTime
VirtualProtectEx
GetLocaleInfoW
IsValidCodePage
IsDBCSLeadByteEx
GetOEMCP
GetConsoleCP
GetConsoleOutputCP
GetACP
FileTimeToSystemTime
LocalFileTimeToFileTime
TerminateProcess
GetEnvironmentVariableW
InterlockedExchange
InterlockedCompareExchange
RtlUnwind
GetFileAttributesA
GetTimeFormatA
GetDateFormatA
SetConsoleCtrlHandler
GetFullPathNameA
GetCommandLineA
UnhandledExceptionFilter
LCMapStringA
LCMapStringW
GetCPInfo
GetStringTypeW
GetTimeZoneInformation
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetConsoleMode
SetHandleCount
GetFileType
GetStartupInfoA
FlushFileBuffers
GetCurrentDirectoryA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
SetStdHandle
WriteConsoleA
WriteConsoleW

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate

secur32

AcquireCredentialsHandleA
EncryptMessage
DecryptMessage
QueryContextAttributesA
FreeCredentialsHandle
DeleteSecurityContext
CompleteAuthToken
InitializeSecurityContextW

imagehlp

ImageRemoveCertificate
ImageGetCertificateHeader
SymGetModuleInfo
SymFromAddr
SymInitialize
SymCleanup
SymGetTypeInfo
StackWalk
SymEnumSymbols
SymSetContext
SymFunctionTableAccess
SymGetModuleBase
SymGetLineFromAddr
SymLoadModule
SymSetOptions

netapi32

Netbios

user32

RegisterDeviceNotificationA
DefWindowProcA
CreateWindowExA
UnregisterClassA
KillTimer
SetTimer
DestroyWindow
ReleaseDC
GetKeyState
ShowWindow
ToAscii
GetKeyboardState
SetCursor
LoadCursorA
SetFocus
RegisterClassA
GetUpdateRect
AdjustWindowRect
SetWindowPos
GetWindowRect
GetDC
SetWindowTextW
ScreenToClient
FindWindowExW
ExitWindowsEx
DispatchMessageA
TranslateMessage
GetOpenClipboardWindow
PeekMessageA
GetFocus
GetProcessWindowStation
GetQueueStatus
GetCapture
GetMessagePos
GetInputState
GetDesktopWindow
GetCursorPos
GetCaretPos
GetActiveWindow
GetClipboardViewer
GetClipboardOwner
GetMessageTime
ValidateRect

gdi32

CreateSolidBrush
GetPixel
StretchDIBits
CreatePalette
SelectPalette
RealizePalette
SelectObject
DeleteObject

advapi32

CreateServiceA
StartServiceA
OpenSCManagerA
OpenServiceA
SetServiceStatus
RegEnumValueA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteValueA
RegSetValueExA
RegDeleteKeyA
RegCreateKeyExA
RegUnLoadKeyA
RegLoadKeyA
RegEnumValueW
RegEnumKeyExW
RegSetKeySecurity
RegGetKeySecurity
RegUnLoadKeyW
RegLoadKeyW
LookupPrivilegeValueW
RegNotifyChangeKeyValue
QueryServiceConfigW
DeleteService
RegDeleteValueW
RegCloseKey
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
OpenThreadToken
RegSetValueExW
RegQueryValueExW
RegQueryValueExA
RegOpenKeyA
StartServiceW
CloseServiceHandle
OpenServiceW
OpenSCManagerW
QueryServiceStatus
ControlService
GetFileSecurityW
RegDeleteKeyW
SetFileSecurityW
RegOpenKeyExA
RegCreateKeyExW
RegQueryInfoKeyW

ole32

CoSetProxyBlanket
OleRun
CoCreateInstance
CoUninitialize
CoInitialize
CoInitializeSecurity
CoTaskMemFree
CoInitializeEx

oleaut32

SysFreeString
SysAllocString
SafeArrayDestroy
SafeArrayAccessData

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

Sections

.text
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 898KB - Virtual size: 897KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 261KB - Virtual size: 438KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mixcrt
Size: 512B - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

55e2a462546fd260504adaeddf4b3f00

Code Sign

6a:21:fe:fd:5d:b1:29:47:8c:d9:da:aa:37:0f:69:a0Certificate

Extended Key Usages

Key Usages

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8Certificate

Extended Key Usages

Key Usages

61:2d:23:cb:00:00:00:00:00:21Certificate

Key Usages

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

6a:21:fe:fd:5d:b1:29:47:8c:d9:da:aa:37:0f:69:a0Certificate

Extended Key Usages

Key Usages

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8Certificate

Extended Key Usages

Key Usages

61:2d:23:cb:00:00:00:00:00:21Certificate

Key Usages

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate

Extended Key Usages

Key Usages

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6Certificate

Extended Key Usages

Key Usages

e6:55:b6:b7:22:ff:ba:3b:98:0e:a4:e6:4c:90:4a:3b:b1:0a:86:b0:4f:8f:40:04:33:15:4a:84:b9:b0:8d:40Signer

83:eb:4c:b0:f7:5e:43:ea:6a:b8:f0:a4:83:98:4e:58:8d:2e:8d:98Signer

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

imm32

kernel32

rpcrt4

secur32

imagehlp

netapi32

user32

gdi32

advapi32

ole32

oleaut32

version

Sections

.text Size: 3.5MB - Virtual size: 3.5MB

.rdata Size: 898KB - Virtual size: 897KB

.data Size: 261KB - Virtual size: 438KB

.mixcrt Size: 512B - Virtual size: 1B

.rsrc Size: 12KB - Virtual size: 11KB

6a:21:fe:fd:5d:b1:29:47:8c:d9:da:aa:37:0f:69:a0
Certificate

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

61:2d:23:cb:00:00:00:00:00:21
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

6a:21:fe:fd:5d:b1:29:47:8c:d9:da:aa:37:0f:69:a0
Certificate

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

61:2d:23:cb:00:00:00:00:00:21
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

e6:55:b6:b7:22:ff:ba:3b:98:0e:a4:e6:4c:90:4a:3b:b1:0a:86:b0:4f:8f:40:04:33:15:4a:84:b9:b0:8d:40
Signer

83:eb:4c:b0:f7:5e:43:ea:6a:b8:f0:a4:83:98:4e:58:8d:2e:8d:98
Signer

.text
Size: 3.5MB - Virtual size: 3.5MB

.rdata
Size: 898KB - Virtual size: 897KB

.data
Size: 261KB - Virtual size: 438KB

.mixcrt
Size: 512B - Virtual size: 1B

.rsrc
Size: 12KB - Virtual size: 11KB