gh0strat | 4dc6088d2134897a1bef1ee122b1c31290f6124c5dbf7b16ca297e491b1c8478

Sharing

Copy URL Twitter E-mail

General

Target

4dc6088d2134897a1bef1ee122b1c31290f6124c5dbf7b16ca297e491b1c8478
Size

6.2MB
MD5

c40ae848b4fa874a6b98d05da67efbdd
SHA1

e9a70fec0b74e14d1bf0b29666a1998d086916f9
SHA256

4dc6088d2134897a1bef1ee122b1c31290f6124c5dbf7b16ca297e491b1c8478
SHA512

913f682e0c660dc12ebaa8a7b21ac88c0ada298678d080c83894d41b89a6e866f02a73ef8d8b72231ae44fc0e96af303a9a8cbc251b5245f3bca8e6ec1dd313b
SSDEEP

1536:Mb3Vpc+UCbQaDS9OleleSiJBT0dEQkRG7BxWQ+59f2cWByfOQqF/fCabxYngj:Anc+NDagQWf2VBEOQqFCabxYgj

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4dc6088d2134897a1bef1ee122b1c31290f6124c5dbf7b16ca297e491b1c8478

Files

4dc6088d2134897a1bef1ee122b1c31290f6124c5dbf7b16ca297e491b1c8478
.dll windows:4 windows x86

f151c46d34ccb49f6384e6f391ceb69e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CancelIo
Sleep
GetFileAttributesA
FreeLibrary
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetLastError
CreateDirectoryA
lstrlenA
GetDiskFreeSpaceExA
FindClose
LocalFree
LocalReAlloc
LocalAlloc
GetFileSize
CreateFileA
ReadFile
WriteFile
MoveFileA
lstrcatA
SetFilePointer
GetModuleFileNameA
GetCurrentProcess
VirtualAllocEx
GetLocalTime
GetTickCount
HeapFree
GetProcessHeap
HeapAlloc
OutputDebugStringA
ResetEvent
InterlockedExchange
VirtualFree
VirtualAlloc
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
LocalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
DeviceIoControl
GetSystemInfo
GetModuleHandleA
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
CreateRemoteThread
OpenProcess
Module32Next
Module32First
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateEventA
SetEvent
WaitForSingleObject
DeleteFileA
LoadLibraryA
RaiseException
GetProcAddress
lstrcpyA
CloseHandle
UnmapViewOfFile

gdi32

DeleteDC
SelectObject
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteObject
GetStockObject

shell32

SHGetFileInfoA
SHGetSpecialFolderPathA

shlwapi

SHDeleteKeyA

msvcrt

strncpy
fclose
fwrite
fopen
realloc
atoi
strncmp
sprintf
strncat
strchr
atol
wcstombs
strrchr
_snprintf
calloc
_initterm
_adjust_fdiv
_strnicmp
_stricmp
_strrev
malloc
_strcmpi
free
_except_handler3
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
_beginthreadex
??2@YAPAXI@Z

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

msvcp60

?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

imm32

ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext

msvfw32

ICClose
ICCompressorFree
ICOpen
ICSendMessage
ICSeqCompressFrameStart
ICSeqCompressFrame
ICSeqCompressFrameEnd

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationA

Exports

Exports

CodeMain
CodeService
MainCode
MainService
ServiceCode
ServiceMain
main

Sections

.text
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f151c46d34ccb49f6384e6f391ceb69e

Headers

File Characteristics

Imports

kernel32

gdi32

shell32

shlwapi

msvcrt

userenv

msvcp60

imm32

msvfw32

wtsapi32

Exports

Exports

Sections

.text Size: 131KB - Virtual size: 131KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 131KB - Virtual size: 131KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB