Ghost32-11[.]5[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Ghost32-11.5.exe
Size

3.8MB
MD5

e3b7d0837242ee28f6d0fdc20e804e0e
SHA1

10c5774e499599eeee090bded7f69c87845831f2
SHA256

96d5d0946173b9d82d0bb990a06c6d11ecb7aff936dea7aa8e26e523e10d302b
SHA512

16c153b67f512e0a92f0d6a7ab1d6770a259ead2254eb773d296d99e03cab52aae3ef5f777a2850f032fb8ae25ba30b70719d2cd0807bd73336820aee2ea5df5
SSDEEP

49152:fL05bCkTcofN0BbrgPPEMwtJwbbB2u7b1WYKhzvZWfnB3j3QGaa74XmbRHi4H0cd:ARMoWBbkHEMPBl7ZWYKtEOU8XmuGb

Score

1^/10

Malware Config

Signatures

Files

Ghost32-11.5.exe
.exe windows x86

b82f622dcc69314b5e2125af74e90858

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

31/10/2007, 00:00

Not After

24/11/2010, 23:59

Subject

CN=Symantec Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Symantec Research Labs,O=Symantec Corporation,L=Santa Monica,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

fc:6e:6e:a5:24:5e:dc:43:19:8c:b6:98:9c:8f:b3:92:24:5a:a6:97
Signer

Actual PE Digest

fc:6e:6e:a5:24:5e:dc:43:19:8c:b6:98:9c:8f:b3:92:24:5a:a6:97

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

recvfrom
WSASetLastError
gethostname
gethostbyname
inet_ntoa
WSACloseEvent
WSACleanup
WSAStartup
WSACreateEvent
WSASend
WSAWaitForMultipleEvents
WSAEnumNetworkEvents
htonl
listen
htons
inet_addr
closesocket
WSAEventSelect
WSAGetLastError
ioctlsocket
shutdown
setsockopt
recv
accept
WSAAddressToStringA
WSASocketA
getsockopt
getsockname
send
ntohl
WSASendTo
WSARecvFrom
WSARecv
WSAIoctl
socket
connect
bind
sendto

imm32

ImmDisableIME

imagehlp

ImageGetCertificateHeader
ImageRemoveCertificate

kernel32

CreateFileA
CloseHandle
GetLocaleInfoA
GetModuleFileNameA
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetLastError
GetVersionExA
IsValidCodePage
IsDBCSLeadByteEx
MultiByteToWideChar
WideCharToMultiByte
GetOEMCP
GetConsoleCP
GetConsoleOutputCP
GetACP
SystemTimeToFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
GetSystemTimeAsFileTime
DebugBreak
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
IsDebuggerPresent
DeleteCriticalSection
InterlockedIncrement
InterlockedDecrement
OutputDebugStringA
WriteFile
SetFilePointer
SetEndOfFile
ReadFile
GetStdHandle
VirtualFree
VirtualAlloc
GetSystemInfo
GetThreadContext
VirtualQuery
GetModuleHandleW
FindResourceW
LoadResource
LoadLibraryW
Sleep
SizeofResource
CreateFileW
LockResource
GetCurrentThreadId
DeleteFileW
ResumeThread
CreateThread
WaitForSingleObject
SetEvent
CreateEventW
FindNextFileA
GetFileAttributesW
GetFileAttributesExA
GetCurrentProcess
GetVersionExW
VirtualProtectEx
GetLocalTime
GetSystemTime
GetStringTypeA
GetLocaleInfoW
GetFileAttributesA
GetDiskFreeSpaceA
CreateDirectoryA
DeleteFileA
RemoveDirectoryA
MoveFileA
GetBinaryTypeA
GetFileInformationByHandle
GetVolumeInformationA
GetTickCount
GetFullPathNameA
GetCurrentDirectoryA
GetDiskFreeSpaceW
FindFirstFileA
SetFileTime
SetFileAttributesA
LocalFree
LocalAlloc
BackupSeek
BackupRead
QueryPerformanceCounter
QueryPerformanceFrequency
CreateEventA
ResetEvent
InitializeCriticalSection
DefineDosDeviceW
GetCurrentThread
IsBadWritePtr
FormatMessageA
GetCurrentProcessId
RaiseException
SetUnhandledExceptionFilter
GlobalMemoryStatus
FreeConsole
DeviceIoControl
HeapFree
HeapAlloc
GetProcessHeap
FindClose
VirtualLock
SetProcessWorkingSetSize
GetProcessWorkingSetSize
VirtualUnlock
SetErrorMode
GetLogicalDriveStringsA
SetLastError
GetFileSize
GetOverlappedResult
InterlockedExchange
InterlockedCompareExchange
TerminateProcess
UnhandledExceptionFilter
RtlUnwind
ExitProcess
GetTimeFormatA
GetDateFormatA
SetConsoleCtrlHandler
GetCommandLineA
ExitThread
LCMapStringA
LCMapStringW
GetCPInfo
GetStringTypeW
GetTimeZoneInformation
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetHandleCount
GetFileType
GetStartupInfoA
GetConsoleMode
FlushFileBuffers
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
SetStdHandle
WriteConsoleA
WriteConsoleW
CompareStringA
CompareStringW
SetEnvironmentVariableA
GetLogicalDrives
GetDriveTypeA
SetConsoleMode
ReadConsoleInputA
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
GetEnvironmentVariableW
ReadProcessMemory
GetDriveTypeW

rpcrt4

UuidCreate

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

user32

UnregisterClassA
RegisterDeviceNotificationA
KillTimer
SetTimer
ExitWindowsEx
GetFocus
SetFocus
LoadCursorA
FindWindowExW
GetKeyboardState
ToAscii
PeekMessageA
TranslateMessage
DispatchMessageA
ShowWindow
GetKeyState
ReleaseDC
DestroyWindow
GetCursorPos
ScreenToClient
SetWindowTextW
RegisterClassA
CreateWindowExA
GetDC
GetDesktopWindow
GetWindowRect
SetWindowPos
AdjustWindowRect
GetUpdateRect
ValidateRect
DefWindowProcA
SetCursor

gdi32

SelectObject
CreateSolidBrush
GetPixel
StretchDIBits
CreatePalette
SelectPalette
RealizePalette
DeleteObject

advapi32

RegUnLoadKeyW
RegEnumValueW
RegLoadKeyA
RegUnLoadKeyA
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegQueryValueExA
RegLoadKeyW
StartServiceW
CreateServiceA
ControlService
StartServiceA
OpenSCManagerA
OpenServiceA
DeleteService
CloseServiceHandle
LookupPrivilegeValueW
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegOpenKeyA
SetFileSecurityW
GetFileSecurityW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
QueryServiceStatus
OpenSCManagerW
OpenServiceW
RegCreateKeyExW
RegDeleteKeyW
RegSetValueExA
RegQueryValueExW
RegSetValueExW
RegDeleteValueW
RegQueryInfoKeyW
RegGetKeySecurity
RegSetKeySecurity
RegEnumValueA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteValueA

ole32

CoSetProxyBlanket
CoCreateInstance
OleRun
CoInitializeEx
CoUninitialize
CoInitialize
CoInitializeSecurity
CoTaskMemFree

oleaut32

SysAllocString
SysFreeString
SafeArrayDestroy
SafeArrayAccessData

Sections

.text
Size: 2.7MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 828KB - Virtual size: 824KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 256KB - Virtual size: 672KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mixcrt
Size: 4KB - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b82f622dcc69314b5e2125af74e90858

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08Certificate

Extended Key Usages

Key Usages

fc:6e:6e:a5:24:5e:dc:43:19:8c:b6:98:9c:8f:b3:92:24:5a:a6:97Signer

Headers

File Characteristics

Imports

ws2_32

imm32

imagehlp

kernel32

rpcrt4

version

user32

gdi32

advapi32

ole32

oleaut32

Sections

.text Size: 2.7MB - Virtual size: 2.7MB

.rdata Size: 828KB - Virtual size: 824KB

.data Size: 256KB - Virtual size: 672KB

.mixcrt Size: 4KB - Virtual size: 1B

.rsrc Size: 12KB - Virtual size: 11KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

fc:6e:6e:a5:24:5e:dc:43:19:8c:b6:98:9c:8f:b3:92:24:5a:a6:97
Signer

.text
Size: 2.7MB - Virtual size: 2.7MB

.rdata
Size: 828KB - Virtual size: 824KB

.data
Size: 256KB - Virtual size: 672KB

.mixcrt
Size: 4KB - Virtual size: 1B

.rsrc
Size: 12KB - Virtual size: 11KB