gh0strat | 03c26e1d977db0f2a3b603a2fa93b8bd

Sharing

Copy URL Twitter E-mail

General

Target

03c26e1d977db0f2a3b603a2fa93b8bd
Size

928KB
MD5

03c26e1d977db0f2a3b603a2fa93b8bd
SHA1

6d6ff8981bcbd36c1dedda7ca5fdc711f2cb5d2f
SHA256

8ac9fe245dc6f9e822a85de4b9c5dc352c67765428483ae8967d37bd7cd71e3b
SHA512

e1f24e44813d325b4a563063149075fee4c5b3a66348cffe304d3928ac96f2b2fd63779735e2c84375d4f2fef7366c560c1517edad84f6b51753f6eda339d0f5
SSDEEP

3072:nza5WQ22UH4IzHU0b8Gx44Ri6hFUxTBftDP6o9bW2ZF53+q0QJyB5i7+n:O592H4OUCrhRnLUxTBlW0W2ZFV+KJ2gu

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
03c26e1d977db0f2a3b603a2fa93b8bd

Files

03c26e1d977db0f2a3b603a2fa93b8bd
.dll windows:4 windows x86 arch:x86

944215da5d42d19e9c85b98bdd4cf877

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

SysFreeString

kernel32

LocalAlloc
InitializeCriticalSection
LeaveCriticalSection
GetTickCount
GetLocalTime
GlobalUnlock
GlobalLock
GlobalSize
HeapFree
GetProcessHeap
GetLastError
HeapAlloc
SetLastError
GetCommandLineA
VirtualQuery
GetProcAddress
GetModuleHandleA
GetCurrentProcessId
GetCurrentThreadId
GetShortPathNameA
GetFileAttributesExA
lstrcmpA
lstrcmpiA
GetSystemDirectoryA
MultiByteToWideChar
SetEnvironmentVariableA
GetTempPathA
GetCurrentProcess
GetLongPathNameA
GetModuleFileNameA
InterlockedExchange
FreeLibrary
GlobalFree
GlobalAlloc
SetUnhandledExceptionFilter
FormatMessageA
IsBadWritePtr
ExitProcess
GetVersionExA
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx
DeleteFileA
RemoveDirectoryA
ExitThread
IsBadReadPtr
IsBadStringPtrW
GetCurrentThread
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetTempFileNameA
LoadLibraryA
RaiseException

shell32

SHFileOperationA

ole32

CoCreateInstance
CoInitialize
CoTaskMemFree
CoUninitialize

user32

DestroyWindow
wsprintfA
GetClassNameA
GetWindow
ShowWindow
CreateWindowExA
DestroyCursor
PtInRect
GetCursorInfo
CopyRect
SendMessageTimeoutA
wvsprintfA
EnableWindow
MessageBoxA
LoadCursorA
CloseWindowStation

shlwapi

SHDeleteKeyA

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

ws2_32

WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
socket
gethostbyname
getsockname
shutdown
send
closesocket
recv
select
gethostname

msvcrt

strrchr
_adjust_fdiv
_initterm
_onexit
__dllonexit
_memicmp
_strupr
_wcsicmp
_stricmp
??3@YAXPAX@Z
_strlwr
_beginthreadex
wcstombs
atoi
strncat
??2@YAPAXI@Z
time
srand
rand
realloc
strchr
malloc
free
_except_handler3
_ftol
ceil
memmove
__CxxFrameHandler
wcslen
strncpy

Exports

Exports

CAAccessCheck
CAAccessCheckEx
CAAddCACertificateType
CACertTypeAccessCheck
CACertTypeAccessCheckEx
CACertTypeGetSecurity
CACertTypeQuery
CACertTypeRegisterQuery
CACertTypeSetSecurity
CACertTypeUnregisterQuery
CACloneCertType
CACloseCA
CACloseCertType
CACountCAs
CACountCertTypes
CACreateAutoEnrollmentObjectEx
CACreateCertType
CACreateLocalAutoEnrollmentObject
CACreateNewCA
CADeleteCA
CADeleteCertType
CADeleteLocalAutoEnrollmentObject
CAEnumCertTypes
CAEnumCertTypesEx
CAEnumCertTypesForCA
CAEnumCertTypesForCAEx
CAEnumFirstCA
CAEnumNextCA
CAEnumNextCertType
CAFindByCertType
CAFindByIssuerDN
CAFindByName
CAFindCertTypeByName
CAFreeCAProperty
CAFreeCertTypeExtensions
CAFreeCertTypeProperty
CAGetCACertificate
CAGetCAExpiration
CAGetCAFlags
CAGetCAProperty
CAGetCASecurity
CAGetCertTypeExpiration
CAGetCertTypeExtensions
CAGetCertTypeExtensionsEx
CAGetCertTypeFlags
CAGetCertTypeFlagsEx
CAGetCertTypeKeySpec
CAGetCertTypeProperty
CAGetCertTypePropertyEx
CAGetDN

Sections

.text
Size: 100KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

944215da5d42d19e9c85b98bdd4cf877

Headers

File Characteristics

Imports

oleaut32

kernel32

shell32

ole32

user32

shlwapi

userenv

ws2_32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 98KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 16B

.reloc Size: 8KB - Virtual size: 6KB

.text
Size: 100KB - Virtual size: 98KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 16B

.reloc
Size: 8KB - Virtual size: 6KB