gh0strat | 050c2361ce391cd740630c8dbad6a009cbb694f6bdd05007afcac9f89705bb2e

Sharing

Copy URL

Twitter E-mail

General

Target

050c2361ce391cd740630c8dbad6a009cbb694f6bdd05007afcac9f89705bb2e
Size

10.3MB
MD5

77b4aeed986e8cbdcd8ea4928a99e080
SHA1

3df155ea5047ecc1cb01f841714257ee766e87dd
SHA256

050c2361ce391cd740630c8dbad6a009cbb694f6bdd05007afcac9f89705bb2e
SHA512

735fe0a537e24ab121c3a62b276491166a4d22d9ef4762fed76204864872be299e013499ee988dae7269ec79c8a677dfcd7347f42e6211586e2a50cd8da228bb
SSDEEP

3072:Anc+NDagQWf2VBEOQqFCabxYgKnc+NDagQWf2VBEOQqFCabxYge/:mZkucETMCJHZkucETMCJn

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
050c2361ce391cd740630c8dbad6a009cbb694f6bdd05007afcac9f89705bb2e

Files

050c2361ce391cd740630c8dbad6a009cbb694f6bdd05007afcac9f89705bb2e
.dll windows:4 windows x86

f151c46d34ccb49f6384e6f391ceb69e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CancelIo
Sleep
GetFileAttributesA
FreeLibrary
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetLastError
CreateDirectoryA
lstrlenA
GetDiskFreeSpaceExA
FindClose
LocalFree
LocalReAlloc
LocalAlloc
GetFileSize
CreateFileA
ReadFile
WriteFile
MoveFileA
lstrcatA
SetFilePointer
GetModuleFileNameA
GetCurrentProcess
VirtualAllocEx
GetLocalTime
GetTickCount
HeapFree
GetProcessHeap
HeapAlloc
OutputDebugStringA
ResetEvent
InterlockedExchange
VirtualFree
VirtualAlloc
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
LocalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
DeviceIoControl
GetSystemInfo
GetModuleHandleA
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
CreateRemoteThread
OpenProcess
Module32Next
Module32First
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateEventA
SetEvent
WaitForSingleObject
DeleteFileA
LoadLibraryA
RaiseException
GetProcAddress
lstrcpyA
CloseHandle
UnmapViewOfFile

gdi32

DeleteDC
SelectObject
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteObject
GetStockObject

shell32

SHGetFileInfoA
SHGetSpecialFolderPathA

shlwapi

SHDeleteKeyA

msvcrt

strncpy
fclose
fwrite
fopen
realloc
atoi
strncmp
sprintf
strncat
strchr
atol
wcstombs
strrchr
_snprintf
calloc
_initterm
_adjust_fdiv
_strnicmp
_stricmp
_strrev
malloc
_strcmpi
free
_except_handler3
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
_beginthreadex
??2@YAPAXI@Z

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

msvcp60

?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

imm32

ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext

msvfw32

ICClose
ICCompressorFree
ICOpen
ICSendMessage
ICSeqCompressFrameStart
ICSeqCompressFrame
ICSeqCompressFrameEnd

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationA

Exports

Exports

CodeMain
CodeService
MainCode
MainService
ServiceCode
ServiceMain
main

Sections

.text
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f151c46d34ccb49f6384e6f391ceb69e

Headers

File Characteristics

Imports

kernel32

gdi32

shell32

shlwapi

msvcrt

userenv

msvcp60

imm32

msvfw32

wtsapi32

Exports

Exports

Sections

.text Size: 131KB - Virtual size: 131KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 131KB - Virtual size: 131KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB