gh0strat | 1044-1-0x0000000010000000-0x0000000010017000-memory[.]dmp

Sharing

Copy URL Twitter E-mail

General

Target

1044-1-0x0000000010000000-0x0000000010017000-memory.dmp
Size

92KB
MD5

71226684dd7e144e1e513af88dc89c6a
SHA1

839a1baa020cc119c0018b9f8f32357000ee37fd
SHA256

95b3f83e453c5a026a8eabc873c6bd5777d61bcb2186c75c25c4fe122ad116fc
SHA512

b9e18deec2e641350cd8b3a468ea941da270cc38d5595cf7c55054d2847afb57bc3a93a8609bdf7ac220564760c8e19b21e2673f85d291d8d2d8efa28c776762
SSDEEP

1536:uFeqajGayQBKTiGInFFkFp5jlbqRqNvhYCn5:8eqaYQBK21FsxqSvGi5

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

182.42.105.12

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1044-1-0x0000000010000000-0x0000000010017000-memory.dmp

Files

1044-1-0x0000000010000000-0x0000000010017000-memory.dmp
.dll windows:4 windows x86

1ae82a4d4caa410fb57bfdd08dc07755

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

LoadLibraryA
lstrcpyA
lstrcatA
GetSystemDirectoryA
TerminateProcess
CreateProcessA
lstrlenA
SetFilePointer
GetFileSize
GetLocalTime
ExpandEnvironmentStringsA
GetVersionExA
ExitProcess
GetModuleFileNameA
Process32Next
OpenProcess
Process32First
OutputDebugStringA
WinExec
CopyFileA
TerminateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
DeleteFileA
GetProcAddress
LocalAlloc
GetComputerNameA
GetDiskFreeSpaceExA
GetDriveTypeA
GlobalMemoryStatusEx
ReadFile
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetSystemInfo
lstrcmpiA
LoadLibraryW
GetFileAttributesA
CreateDirectoryA
ReleaseMutex
CreateMutexA
MoveFileExA
MoveFileA
SetFileAttributesA
GetCurrentThreadId
FreeLibrary
CreateThread
ExitThread
GetTickCount
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
GlobalAlloc
GetLastError
LocalFree
SetLastError
CreateFileA
DeviceIoControl
WriteFile
CloseHandle
Sleep
GetVersion
GetCurrentProcess
FindFirstFileA
FindNextFileA
VirtualFree
GlobalLock
GlobalUnlock
VirtualAlloc
LocalSize

user32

GetLastInputInfo
GetSystemMetrics
EnumWindows
GetMessageA
SendMessageA
MessageBoxA
GetKeyState
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
wsprintfA
EmptyClipboard
SetClipboardData
PostThreadMessageA
GetInputState
IsWindowVisible
ExitWindowsEx
CloseClipboard
GetClipboardData
OpenClipboard

advapi32

OpenProcessToken
OpenEventLogA
ClearEventLogA
CloseEventLog
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegQueryValueA
RegOpenKeyExA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
SetServiceStatus
RegisterServiceCtrlHandlerA
RegSetValueExA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
DeleteService

shell32

SHChangeNotify
SHGetSpecialFolderPathA
ShellExecuteExA

ole32

CoInitialize
CoCreateGuid
CoUninitialize

ws2_32

inet_addr
inet_ntoa
gethostname
WSAGetLastError
WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
select
recv
closesocket
send
WSASocketA
sendto
htonl
getsockname

msvcrt

_strupr
??2@YAPAXI@Z
_strcmpi
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_beginthreadex
_except_handler3
strncmp
_snprintf
_access
strrchr
free
realloc
malloc
time
srand
strchr
sprintf
strstr
strcspn
strncpy
atoi
rand
_CxxThrowException
_stricmp
exit
__CxxFrameHandler
_ftol
??3@YAXPAX@Z

setupapi

SetupDiEnumDeviceInfo
SetupDiCallClassInstaller
SetupDiSetClassInstallParamsA
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA

iphlpapi

GetIfTable

urlmon

URLDownloadToFileA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Exports

Exports

fuckyou
fuckyou1

Sections

.text
Size: 52KB - Virtual size: 256.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 256.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

1ae82a4d4caa410fb57bfdd08dc07755

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

ws2_32

msvcrt

setupapi

iphlpapi

urlmon

wtsapi32

Exports

Exports

Sections

.text Size: 52KB - Virtual size: 256.0MB

.rdata Size: 12KB - Virtual size: 256.1MB

.data Size: 12KB - Virtual size: 256.1MB

.reloc Size: 8KB - Virtual size: 256.1MB

.text
Size: 52KB - Virtual size: 256.0MB

.rdata
Size: 12KB - Virtual size: 256.1MB

.data
Size: 12KB - Virtual size: 256.1MB

.reloc
Size: 8KB - Virtual size: 256.1MB