gh0strat | 5a3f5f60adb1ebc4c75a692586c211f6759032c511a6de62dca959671a91cc07

Sharing

Copy URL Twitter E-mail

General

Target

5a3f5f60adb1ebc4c75a692586c211f6759032c511a6de62dca959671a91cc07
Size

4.6MB
MD5

8df439754f556846ee73e96bf1ed43e8
SHA1

86337259d91247236f129eca2a05c037ce3bde8b
SHA256

5a3f5f60adb1ebc4c75a692586c211f6759032c511a6de62dca959671a91cc07
SHA512

19fd5d4f88cce96ac50ac77a26189ae5d7df2ca5537a853745e2dd3d879c0a8c1a19c72c5c74f2bb785339ae31fe5bda63f6b41953f071db6a190f76be6a7f12
SSDEEP

98304:cvwFSgkYVEh98juT8vdtSzBMi/CFf5TNR3D:wT8v2uimf5j3D

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
5a3f5f60adb1ebc4c75a692586c211f6759032c511a6de62dca959671a91cc07

Files

5a3f5f60adb1ebc4c75a692586c211f6759032c511a6de62dca959671a91cc07
.exe windows x86

1ba76f43d8608efc181420ac29c59750

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

PathRemoveFileSpecA
SHAutoComplete

winmm

waveInUnprepareHeader
waveOutGetNumDevs
waveOutClose
waveOutUnprepareHeader
waveOutReset
waveOutOpen
PlaySoundA
waveOutPrepareHeader
mixerGetLineControlsA
mixerGetControlDetailsA
mixerSetControlDetails
mixerGetNumDevs
mixerGetDevCapsA
mixerOpen
mixerGetLineInfoA
mixerClose
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveInAddBuffer
waveInStart
waveOutWrite
waveInStop
waveInReset
waveInClose

kernel32

CompareStringA
CompareStringW
SetEnvironmentVariableA
IsBadCodePtr
IsBadReadPtr
GetStringTypeW
GetStringTypeA
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
LCMapStringW
LCMapStringA
SetUnhandledExceptionFilter
UnhandledExceptionFilter
HeapCreate
HeapDestroy
GetVersionExA
GetEnvironmentVariableA
GetProfileIntA
GetProfileStringA
GetTempPathA
GetPrivateProfileSectionNamesA
GetExitCodeThread
ResetEvent
EnumResourceLanguagesA
EnumResourceTypesA
EnumResourceNamesA
GetCurrentProcessId
IsBadWritePtr
CreateEventA
GetFileType
CloseHandle
TerminateThread
WaitForSingleObject
SetEvent
ResumeThread
CreateThread
Sleep
VirtualFree
VirtualAlloc
GetVolumeInformationA
SetStdHandle
HeapSize
HeapReAlloc
GetACP
GetLocalTime
GetSystemTime
GetTimeZoneInformation
TerminateProcess
GetComputerNameA
GetTickCount
ReadFile
GetFileSize
CreateFileA
FindClose
FindFirstFileA
WriteFile
OutputDebugStringA
GetModuleFileNameA
lstrcpyA
lstrlenA
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
LocalFree
LocalAlloc
lstrcpynA
FindNextFileA
GetFileAttributesA
SetFilePointer
RemoveDirectoryA
DeleteFileA
MoveFileA
GetLastError
CreateDirectoryA
GetPrivateProfileStringA
GetPrivateProfileIntA
WritePrivateProfileStringA
InitializeCriticalSection
PostQueuedCompletionStatus
GetSystemInfo
CreateIoCompletionPort
ExitProcess
GetCommandLineA
GetStartupInfoA
RaiseException
ExitThread
RtlUnwind
HeapAlloc
HeapFree
GetCurrentDirectoryA
SetErrorMode
SetFileAttributesA
SystemTimeToFileTime
LocalFileTimeToFileTime
CopyFileA
GetOEMCP
GetCPInfo
GetProcessVersion
TlsGetValue
TlsSetValue
GlobalReAlloc
TlsFree
GlobalHandle
TlsAlloc
SizeofResource
GlobalFlags
GetDiskFreeSpaceA
GetFileTime
SetFileTime
GetTempFileNameA
GetCurrentThread
SetThreadPriority
SetLastError
MulDiv
LocalLock
LocalUnlock
lstrcmpA
GetShortPathNameA
GetThreadLocale
GetStringTypeExA
GetFullPathNameA
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
GetCurrentProcess
DuplicateHandle
lstrlenW
FileTimeToLocalFileTime
FileTimeToSystemTime
FormatMessageA
InterlockedIncrement
FreeLibrary
GetVersion
GlobalGetAtomNameA
lstrcmpiA
GlobalAddAtomA
GlobalFindAtomA
GlobalDeleteAtom
GetModuleHandleA
LockResource
FindResourceA
LoadResource
lstrcatA
LocalReAlloc
LocalSize
GlobalSize
LoadLibraryA
GetProcAddress
InterlockedDecrement
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
DeleteCriticalSection
CancelIo
InterlockedExchange
GetQueuedCompletionStatus

user32

IsRectEmpty
FindWindowA
ValidateRect
BringWindowToTop
UnpackDDElParam
ReuseDDElParam
TranslateAcceleratorA
LoadAcceleratorsA
GrayStringA
TabbedTextOutA
EndPaint
BeginPaint
GetWindowDC
IsClipboardFormatAvailable
GetTabbedTextExtentA
LoadStringA
PtInRect
IsZoomed
SetRectEmpty
DestroyMenu
CharUpperA
wvsprintfA
GetMenuCheckMarkDimensions
LoadBitmapA
ModifyMenuA
SetMenuItemBitmaps
ShowWindow
MoveWindow
SetWindowTextA
IsDialogMessageA
SetDlgItemTextA
GetDlgItemTextA
SendDlgItemMessageA
PostQuitMessage
ShowOwnedPopups
SetWindowContextHelpId
MapDialogRect
GetClassNameA
DispatchMessageA
TranslateMessage
GetMessageA
InvalidateRect
SendMessageA
EnableWindow
RegisterWindowMessageA
SetRect
MapWindowPoints
PeekMessageA
SetFocus
GetDialogBaseUnits
EqualRect
DeferWindowPos
BeginDeferWindowPos
EndDeferWindowPos
ScrollWindow
GetScrollInfo
SetScrollInfo
GetTopWindow
IsChild
GetCapture
WinHelpA
GetSysColorBrush
InsertMenuA
GetMenuStringA
GetDCEx
DestroyIcon
CopyAcceleratorTableA
GetNextDlgGroupItem
SetParent
InvertRect
RegisterClipboardFormatA
GetClassInfoA
GetMenuItemID
TrackPopupMenu
GetWindowTextLengthA
GetWindowTextA
CreateWindowExA
SetWindowsHookExA
CallNextHookEx
GetClassLongA
SetPropA
UnhookWindowsHookEx
GetPropA
CallWindowProcA
MessageBoxA
wsprintfA
GetClientRect
UpdateWindow
IsWindowVisible
SetTimer
KillTimer
GetDlgCtrlID
GetParent
GetCursorPos
CloseClipboard
SetClipboardData
EmptyClipboard
UnregisterClassA
DefMDIChildProcA
DrawMenuBar
TranslateMDISysAccel
DefFrameProcA
ExcludeUpdateRgn
DefDlgProcA
GetClipboardFormatNameA
IsWindowUnicode
GetWindowLongW
SetWindowLongW
GetDoubleClickTime
SetCursorPos
GetMenuStringW
LookupIconIdFromDirectoryEx
DrawFrameControl
PostThreadMessageA
AdjustWindowRectEx
RemovePropA
GetMessageTime
GetMessagePos
GetLastActivePopup
GetForegroundWindow
SetForegroundWindow
IntersectRect
IsIconic
GetWindowPlacement
GetNextDlgTabItem
EndDialog
GetActiveWindow
SetActiveWindow
IsWindow
CreateDialogIndirectParamA
DestroyWindow
GetDlgItem
IsWindowEnabled
SetScrollPos
GetScrollPos
RegisterClassA
DefWindowProcA
ShowScrollBar
RedrawWindow
GetSystemMenu
CheckMenuRadioItem
GetMenuState
AppendMenuA
SystemParametersInfoA
GetClipboardData
GetScrollBarInfo
DrawIconEx
GetKeyState
GetDC
ReleaseDC
SetClassLongA
GetCursor
GetKeyboardLayoutList
GetKeyboardState
ToAsciiEx
GetKeyboardLayout
MapVirtualKeyExA
GetKeyNameTextA
IsCharLowerA
UnionRect
DrawAnimatedRects
EnumChildWindows
SetMenuDefaultItem
SetWindowRgn
CreatePopupMenu
GetMenuDefaultItem
GetWindowRgn
IsMenu
GetMenuItemInfoA
CopyIcon
CreateIconIndirect
GetIconInfo
DrawStateA
CreateIconFromResourceEx
WaitMessage
MapVirtualKeyA
HideCaret
ShowCaret
DrawEdge
OpenClipboard
DeleteMenu
GetSubMenu
LoadMenuA
LoadCursorA
SetCursor
ReleaseCapture
SendMessageTimeoutA
SetWindowPos
CharNextA
CheckMenuItem
EnableMenuItem
ClipCursor
DestroyCursor
LoadImageA
GetWindowLongA
SetWindowLongA
SetScrollRange
GetScrollRange
LockWindowUpdate
GetWindowRect
DrawFocusRect
FillRect
GetSysColor
DrawTextA
CopyRect
GetDesktopWindow
GetFocus
SetMenu
PostMessageA
GetMenu
OffsetRect
GetMenuItemCount
ClientToScreen
ScreenToClient
SetCapture
GetWindow
WindowFromPoint
GetSystemMetrics
LoadIconA
MessageBeep
InflateRect

gdi32

SetBkMode
SetTextColor
TextOutA
StretchDIBits
CreateCompatibleDC
CreateDIBSection
SelectObject
SetStretchBltMode
DeleteDC
DeleteObject
GetObjectA
CreateFontIndirectA
GetTextExtentPoint32A
CreateRectRgnIndirect
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowOrgEx
SetWindowExtEx
ScaleWindowExtEx
SelectClipRgn
ExcludeClipRect
IntersectClipRect
MoveToEx
LineTo
SetTextAlign
ExtTextOutW
GetCurrentPositionEx
PolyBezierTo
GetClipRgn
ExtTextOutA
GetViewportExtEx
GetWindowExtEx
PtVisible
RectVisible
Escape
LPtoDP
AbortDoc
EndDoc
EndPage
StartPage
SetAbortProc
CreateDCA
Rectangle
GetViewportOrgEx
CopyMetaFileA
GetTextColor
GetBkColor
GetNearestColor
GetStretchBltMode
GetPolyFillMode
GetTextAlign
GetBkMode
GetROP2
GetTextFaceA
GetWindowOrgEx
SetBrushOrgEx
GetTextExtentPointA
CreateDIBitmap
SetBkColor
CreateSolidBrush
CreatePen
CreateCompatibleBitmap
BitBlt
GetStockObject
GetClipBox
CreateBitmap
PatBlt
GetTextMetricsA
GetCharWidthA
CreateFontA
GetDeviceCaps
DPtoLP
GetMapMode
CreatePatternBrush
SetRectRgn
CombineRgn
CreateRectRgn
StartDocA
BeginPath
ExtSelectClipRgn
GetTextExtentPoint32W
SaveDC
RestoreDC
SetPolyFillMode
SetROP2
SetMapMode
StretchBlt
GetDIBits
SetPixel
GetPixel
PtInRegion
Polygon
GetBitmapBits
ExtCreateRegion
GetCurrentObject
EnumFontFamiliesExA
Polyline
GetRgnBox
CreatePolygonRgn
RoundRect
ExtFloodFill
Ellipse
StrokePath
FillPath
StrokeAndFillPath
EndPath
CloseFigure
SetViewportOrgEx

comdlg32

GetOpenFileNameA
GetSaveFileNameA
PrintDlgA
CommDlgExtendedError
ChooseColorA
FindTextA
GetFileTitleA
ReplaceTextA

winspool.drv

ClosePrinter
OpenPrinterA
DocumentPropertiesA

advapi32

SetFileSecurityA
RegCloseKey
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
RegEnumKeyA
RegCreateKeyA
RegSetValueA
GetFileSecurityA
RegQueryValueExA
RegDeleteValueA
RegSetValueExA
RegCreateKeyExA
RegDeleteKeyA

shell32

ExtractIconA
DragQueryFileA
DragFinish
ShellExecuteA
SHAppBarMessage
SHBrowseForFolderA
SHGetPathFromIDListA
ord71
SHGetFileInfoA
SHGetSpecialFolderLocation
Shell_NotifyIconA
SHGetMalloc

comctl32

ImageList_LoadImageA
ImageList_Create
ImageList_Destroy
ord17
ImageList_AddMasked
ImageList_ReplaceIcon
ImageList_GetImageInfo
ImageList_Draw
ImageList_Remove
ImageList_Add
ImageList_GetIcon
ImageList_DrawEx
ImageList_GetIconSize
ImageList_GetImageCount
_TrackMouseEvent

oledlg

ord1
ord8

ole32

CoInitialize
CoUninitialize
CoCreateInstance
CoDisconnectObject
CLSIDFromProgID
CLSIDFromString
OleDuplicateData
CoTaskMemAlloc
CoTaskMemFree
ReleaseStgMedium
StgOpenStorageOnILockBytes
StgCreateDocfileOnILockBytes
CreateILockBytesOnHGlobal
OleRun
OleInitialize
OleUninitialize
CoFreeUnusedLibraries
CoRegisterMessageFilter
CoRevokeClassObject
OleFlushClipboard
OleIsCurrentClipboard
CoGetClassObject
OleGetClipboard
RegisterDragDrop
CoLockObjectExternal
RevokeDragDrop

olepro32

ord253

oleaut32

SysAllocStringByteLen
VariantChangeType
SysStringByteLen
VarDateFromStr
VarBstrFromDate
SysAllocString
SysFreeString
SysAllocStringLen
VariantTimeToSystemTime
SysStringLen
LoadTypeLi
VariantCopy
VariantClear
SafeArrayGetDim
SafeArrayGetElemsize
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
OleLoadPicturePath
VariantChangeTypeEx

ws2_32

htons
bind
listen
WSACleanup
WSAStartup
gethostname
gethostbyname
WSAEnumNetworkEvents
getpeername
inet_ntoa
WSAEventSelect
WSAIoctl
setsockopt
accept
socket
WSARecv
WSASend
WSACloseEvent
send
WSACreateEvent
closesocket
WSAGetLastError
ntohs
shutdown
WSAWaitForMultipleEvents
WSASocketA
getsockname
inet_addr
ioctlsocket
recv
__WSAFDIsSet
select
connect

pdh

PdhAddCounterA
PdhOpenQueryA
PdhGetFormattedCounterValue
PdhCollectQueryData
PdhCloseQuery

avifil32

AVIFileExit
AVIStreamSetFormat
AVIFileCreateStreamA
AVIFileOpenA
AVIStreamWrite
AVIFileRelease
AVIFileInit
AVIStreamRelease

msvfw32

DrawDibDraw
ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICOpen
ICSendMessage
ICSeqCompressFrameStart
ICDecompress
DrawDibOpen
DrawDibClose

wininet

InternetWriteFile
InternetReadFile
InternetQueryDataAvailable
InternetGetLastResponseInfoA
InternetSetFilePointer
InternetSetStatusCallback
InternetOpenUrlA
InternetCloseHandle
InternetOpenA
InternetQueryOptionA
InternetCanonicalizeUrlA
InternetCrackUrlA

imm32

ImmAssociateContext

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rotext
Size: 112KB - Virtual size: 108KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 400KB - Virtual size: 398KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.9MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 84KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1ba76f43d8608efc181420ac29c59750

Headers

File Characteristics

Imports

shlwapi

winmm

kernel32

user32

gdi32

comdlg32

winspool.drv

advapi32

shell32

comctl32

oledlg

ole32

olepro32

oleaut32

ws2_32

pdh

avifil32

msvfw32

wininet

imm32

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.rodata Size: 12KB - Virtual size: 11KB

.rotext Size: 112KB - Virtual size: 108KB

.rdata Size: 400KB - Virtual size: 398KB

.data Size: 1.9MB - Virtual size: 2.4MB

.rsrc Size: 84KB - Virtual size: 80KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.rodata
Size: 12KB - Virtual size: 11KB

.rotext
Size: 112KB - Virtual size: 108KB

.rdata
Size: 400KB - Virtual size: 398KB

.data
Size: 1.9MB - Virtual size: 2.4MB

.rsrc
Size: 84KB - Virtual size: 80KB