gh0strat | a30dfb263e75b213617a480184537171afd743ebae9286b3e9fd9cb26b0c0f7a

Sharing

Copy URL Twitter E-mail

General

Target

a30dfb263e75b213617a480184537171afd743ebae9286b3e9fd9cb26b0c0f7a
Size

108KB
MD5

fdb1a4d4170d3aed2ccc6cc8e0f35e5c
SHA1

a43f1f947ecc79d788708c781430259d64975a90
SHA256

a30dfb263e75b213617a480184537171afd743ebae9286b3e9fd9cb26b0c0f7a
SHA512

2bc7a4d65cd7a7c241676c735039e5cb07ef196237c2a5324b43ba3dd0e27f6622777f9bfff51637c075353fe0327a71c07236f45c113eab27507bdf2cf2e915
SSDEEP

1536:0AtI/DAe4GKPzxySmT6FnToIfYR+5DbD+i2zP84:0AtwePz8S66tTBfYR+5r2d

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
a30dfb263e75b213617a480184537171afd743ebae9286b3e9fd9cb26b0c0f7a

Files

a30dfb263e75b213617a480184537171afd743ebae9286b3e9fd9cb26b0c0f7a
.dll windows x86

31319472ee8e3c574b3f3f13e8b4ebb9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

OpenProcess
WinExec
TerminateThread
CreateThread
GetTickCount
GetCommandLineA
FreeConsole
GetCurrentProcessId
GetConsoleProcessList
AttachConsole
LocalFree
DeleteFileA
GetCurrentProcess
LocalAlloc
ReadFile
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
GetModuleHandleA
TerminateProcess
GetDiskFreeSpaceExA
GetDriveTypeA
GlobalMemoryStatusEx
GetSystemInfo
ReleaseMutex
CreateMutexA
ProcessIdToSessionId
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
DefineDosDeviceA
ExpandEnvironmentStringsA
GetCurrentThreadId
lstrcmpiA
GetVersionExA
GetModuleFileNameA
GetFileAttributesA
CopyFileA
MoveFileExA
CreateDirectoryA
SetFileAttributesA
Beep
DeviceIoControl
GetVersion
ExitProcess
WTSGetActiveConsoleSessionId
LoadLibraryA
GetProcAddress
FreeLibrary
CreateToolhelp32Snapshot
Process32First
GetLastError
Process32Next
lstrcpyA
CreateProcessA
lstrcatA
GetLocalTime
GetSystemDirectoryA
CreateFileA
GetFileSize
SetFilePointer
lstrlenA
WriteFile
Sleep
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
InitializeCriticalSection
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
LoadLibraryW

user32

GetThreadDesktop
CloseDesktop
wsprintfA
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
MessageBoxA
EnumWindows
ExitWindowsEx
OpenInputDesktop
GetWindowRect
MoveWindow
SendMessageA
ShowWindow
FindWindowA
ChangeDisplaySettingsA
GetSystemMetrics
GetClassNameA
GetWindow
GetLastInputInfo
GetMessageA
GetInputState
PostThreadMessageA
SetThreadDesktop
GetUserObjectInformationA
SwapMouseButton

advapi32

ClearEventLogA
OpenSCManagerA
OpenServiceA
CloseServiceHandle
StartServiceA
RegCreateKeyA
RegSetValueExA
OpenEventLogA
CloseEventLog
GetUserNameA
CreateProcessAsUserA
RegOpenKeyExA
RegQueryValueA
RegCloseKey
DeleteService
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegEnumValueA
RegEnumKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
SetTokenInformation
DuplicateTokenEx
RegisterServiceCtrlHandlerExA
StartServiceCtrlDispatcherA
ChangeServiceConfigA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
SetServiceStatus

shell32

SHGetSpecialFolderPathA
ShellExecuteExA
ShellExecuteA

ole32

CoUninitialize
CoCreateInstance
CoInitialize

oleaut32

SysFreeString

mfc42

ord825
ord823

msvcrt

_wcsupr
_adjust_fdiv
_initterm
_onexit
__dllonexit
??1type_info@@UAE@XZ
strncpy
strrchr
strchr
_stricmp
_strnicmp
realloc
rand
malloc
sprintf
free
wcsstr
_strlwr
_CxxThrowException
__CxxFrameHandler
strstr
_ftol
ceil
memmove
_strcmpi
strncat
_except_handler3

msvcp60

??0_Lockit@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ

ws2_32

getsockname
closesocket
inet_addr
gethostname
send
recv
select
socket
gethostbyname
WSACleanup
WSAStartup
htons
connect
setsockopt
WSAIoctl

winmm

mciSendStringA

iphlpapi

GetIfTable

shlwapi

PathFileExistsA

wininet

InternetOpenA
InternetCloseHandle
InternetQueryDataAvailable
InternetReadFile
InternetGetConnectedState
InternetOpenUrlA

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationA

Exports

Exports

Shellex

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

31319472ee8e3c574b3f3f13e8b4ebb9

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

mfc42

msvcrt

msvcp60

ws2_32

winmm

iphlpapi

shlwapi

wininet

wtsapi32

Exports

Exports

Sections

.text Size: 52KB - Virtual size: 51KB

.rdata Size: 20KB - Virtual size: 17KB

.data Size: 8KB - Virtual size: 13KB

.rsrc Size: 16KB - Virtual size: 12KB

.reloc Size: 8KB - Virtual size: 4KB

.text
Size: 52KB - Virtual size: 51KB

.rdata
Size: 20KB - Virtual size: 17KB

.data
Size: 8KB - Virtual size: 13KB

.rsrc
Size: 16KB - Virtual size: 12KB

.reloc
Size: 8KB - Virtual size: 4KB