gh0strat | 2872-1-0x0000000010000000-0x0000000010017000-memory[.]dmp

Sharing

Copy URL Twitter E-mail

General

Target

2872-1-0x0000000010000000-0x0000000010017000-memory.dmp
Size

92KB
MD5

c74cb519e4309827099161b7f1ea7959
SHA1

75f98e033100376c794d542dacea09a80e6702a9
SHA256

b2154116841434955923b3399510172e96c6b4f77fe08bca32f8c4a25830b721
SHA512

398be85cfcb647edfd29eca87d266e35aaeb8128c6f08762802a3c0da413221838be69dafdf37238a48ab412afc0080f0802644578638ca0c753cbd654e572b6
SSDEEP

1536:uFeqajGayQBKTiGInFFkFp5jlbqRiIKjNvhYCn5:8eqaYQBK21FsxqSvGi5

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

182.42.105.12

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2872-1-0x0000000010000000-0x0000000010017000-memory.dmp

Files

2872-1-0x0000000010000000-0x0000000010017000-memory.dmp
.dll windows:4 windows x86

1ae82a4d4caa410fb57bfdd08dc07755

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

LoadLibraryA
lstrcpyA
lstrcatA
GetSystemDirectoryA
TerminateProcess
CreateProcessA
lstrlenA
SetFilePointer
GetFileSize
GetLocalTime
ExpandEnvironmentStringsA
GetVersionExA
ExitProcess
GetModuleFileNameA
Process32Next
OpenProcess
Process32First
OutputDebugStringA
WinExec
CopyFileA
TerminateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
DeleteFileA
GetProcAddress
LocalAlloc
GetComputerNameA
GetDiskFreeSpaceExA
GetDriveTypeA
GlobalMemoryStatusEx
ReadFile
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetSystemInfo
lstrcmpiA
LoadLibraryW
GetFileAttributesA
CreateDirectoryA
ReleaseMutex
CreateMutexA
MoveFileExA
MoveFileA
SetFileAttributesA
GetCurrentThreadId
FreeLibrary
CreateThread
ExitThread
GetTickCount
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
GlobalAlloc
GetLastError
LocalFree
SetLastError
CreateFileA
DeviceIoControl
WriteFile
CloseHandle
Sleep
GetVersion
GetCurrentProcess
FindFirstFileA
FindNextFileA
VirtualFree
GlobalLock
GlobalUnlock
VirtualAlloc
LocalSize

user32

GetLastInputInfo
GetSystemMetrics
EnumWindows
GetMessageA
SendMessageA
MessageBoxA
GetKeyState
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
wsprintfA
EmptyClipboard
SetClipboardData
PostThreadMessageA
GetInputState
IsWindowVisible
ExitWindowsEx
CloseClipboard
GetClipboardData
OpenClipboard

advapi32

OpenProcessToken
OpenEventLogA
ClearEventLogA
CloseEventLog
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegQueryValueA
RegOpenKeyExA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
SetServiceStatus
RegisterServiceCtrlHandlerA
RegSetValueExA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
DeleteService

shell32

SHChangeNotify
SHGetSpecialFolderPathA
ShellExecuteExA

ole32

CoInitialize
CoCreateGuid
CoUninitialize

ws2_32

inet_addr
inet_ntoa
gethostname
WSAGetLastError
WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
select
recv
closesocket
send
WSASocketA
sendto
htonl
getsockname

msvcrt

_strupr
??2@YAPAXI@Z
_strcmpi
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_beginthreadex
_except_handler3
strncmp
_snprintf
_access
strrchr
free
realloc
malloc
time
srand
strchr
sprintf
strstr
strcspn
strncpy
atoi
rand
_CxxThrowException
_stricmp
exit
__CxxFrameHandler
_ftol
??3@YAXPAX@Z

setupapi

SetupDiEnumDeviceInfo
SetupDiCallClassInstaller
SetupDiSetClassInstallParamsA
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA

iphlpapi

GetIfTable

urlmon

URLDownloadToFileA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

fuckyou
fuckyou1

Sections

.text
Size: 52KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

1ae82a4d4caa410fb57bfdd08dc07755

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

ws2_32

msvcrt

setupapi

iphlpapi

urlmon

wtsapi32

Exports

Exports

Sections

.text Size: 52KB - Virtual size: 256.0MB

.rdata Size: 12KB - Virtual size: 256.1MB

.data Size: 12KB - Virtual size: 256.1MB

.reloc Size: 8KB - Virtual size: 256.1MB

.text
Size: 52KB - Virtual size: 256.0MB

.rdata
Size: 12KB - Virtual size: 256.1MB

.data
Size: 12KB - Virtual size: 256.1MB

.reloc
Size: 8KB - Virtual size: 256.1MB