gh0strat | fc0fe5b593458f4ba8a00bf69f8d20b0_JC[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

fc0fe5b593458f4ba8a00bf69f8d20b0_JC.exe
Size

156KB
MD5

fc0fe5b593458f4ba8a00bf69f8d20b0
SHA1

fd7e5e43a8086cdd026bb3e850dfeb8776f870e6
SHA256

f9216929051a7c8b18e5792477783b8c42e1e98077a0a0ab22e254423772a782
SHA512

3665ee99ee021686a7558ded413458dd7eeeb7716cf052f028401986868f59cca36ad7555c405ae920443ce227b84faffb762ff0492065012c53270367f3cd47
SSDEEP

3072:mAou6MqmI4Q55HdMMhcCsvdsq/tzcpMrURW2u2covOEyvQFYa:m11RM7Jsq/tYkUcp2cIOEyvda

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fc0fe5b593458f4ba8a00bf69f8d20b0_JC.exe

Files

fc0fe5b593458f4ba8a00bf69f8d20b0_JC.exe
.exe windows:4 windows x86

eeec719ed5d6d9b09b373b1bbe209940

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFilePointer
GetFileSize
CreateFileA
LocalFree
LocalAlloc
ReadFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
OpenEventA
CreateMutexA
CreateDirectoryA
CopyFileA
lstrlenA
GetCurrentThreadId
MultiByteToWideChar
WideCharToMultiByte
lstrcpyW
LocalReAlloc
LocalSize
GlobalMemoryStatusEx
WinExec
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
Module32Next
Module32First
CreateRemoteThread
OpenProcess
GetDiskFreeSpaceExA
GetDriveTypeA
WriteFile
GetTempPathA
MoveFileExA
SetFileAttributesA
GetSystemDirectoryA
DeleteFileA
GetModuleFileNameA
GetShortPathNameA
GetCurrentProcess
GetEnvironmentVariableA
SetPriorityClass
GetCurrentThread
SetThreadPriority
ResumeThread
TerminateThread
lstrcpyA
GetWindowsDirectoryA
lstrcatA
GetStartupInfoA
CreateProcessA
GetFileAttributesA
GetLastError
MoveFileA
GetProcessHeap
GetProcAddress
HeapAlloc
GetCurrentProcessId
FreeLibrary
CreateThread
ExitThread
GetLocalTime
GetTickCount
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
Sleep
LoadLibraryA
DefineDosDeviceA
RaiseException
GetModuleHandleA

gdi32

CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
GetStockObject

advapi32

OpenProcessToken
GetTokenInformation
LookupAccountSidA
GetUserNameA
AbortSystemShutdownA
QueryServiceStatus
ControlService
RegDeleteKeyA
CreateServiceA
LockServiceDatabase
ChangeServiceConfig2A
UnlockServiceDatabase
StartServiceA
CloseServiceHandle
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
SetServiceStatus
RegOpenKeyA
OpenSCManagerA
OpenServiceA
DeleteService
RegCreateKeyA
RegSetValueExA
OpenEventLogA
ClearEventLogA
CloseEventLog
RegOpenKeyExA
RegQueryValueExA
RegCloseKey

msvcrt

__CxxFrameHandler
_CxxThrowException
memmove
ceil
_ftol
strstr
rand
sprintf
strncpy
strchr
malloc
free
_except_handler3
strrchr
exit
strncat
realloc
atoi
strncmp
_errno
mbstowcs
wcslen
wcstombs
wcscpy
_mbsstr
_mbscmp
atol
_beginthreadex
_snprintf
calloc
??1type_info@@UAE@XZ
__dllonexit
_onexit
_iob
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
strlen
??0exception@@QAE@ABV0@@Z
_strcmpi
_strnicmp
??2@YAPAXI@Z
??3@YAXPAX@Z
memcpy

wininet

InternetOpenUrlA
InternetReadFile
InternetCloseHandle
InternetOpenA

urlmon

URLDownloadToFileA

msvfw32

ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd
ICSeqCompressFrame
ICSeqCompressFrameStart

netapi32

NetApiBufferFree
NetUserGetInfo
NetUserEnum
NetLocalGroupAddMembers
NetUserAdd
NetUserDel
NetUserGetLocalGroups
NetUserSetInfo

wtsapi32

WTSEnumerateSessionsA
WTSQuerySessionInformationW
WTSQuerySessionInformationA
WTSDisconnectSession
WTSFreeMemory
WTSLogoffSession

Sections

.text
Size: 112KB - Virtual size: 109KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

eeec719ed5d6d9b09b373b1bbe209940

Headers

File Characteristics

Imports

kernel32

gdi32

advapi32

msvcrt

wininet

urlmon

msvfw32

netapi32

wtsapi32

Sections

.text Size: 112KB - Virtual size: 109KB

.rdata Size: 16KB - Virtual size: 14KB

.data Size: 16KB - Virtual size: 27KB

.rsrc Size: 8KB - Virtual size: 8KB

.text
Size: 112KB - Virtual size: 109KB

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 16KB - Virtual size: 27KB

.rsrc
Size: 8KB - Virtual size: 8KB