gh0strat | 052542f14d0f19b8f47f4021f7a003c2

Sharing

Copy URL Twitter E-mail

General

Target

052542f14d0f19b8f47f4021f7a003c2
Size

1.8MB
MD5

052542f14d0f19b8f47f4021f7a003c2
SHA1

3672f60e71a295cbd3ca700162d8ad4580e5a43d
SHA256

cb6ca92e2d1ee03fbb6c20ca2fb2159eb951017c7b1fbda8d1ee3773c7bddcfd
SHA512

c1e4de6271f922adf1189d2b3b3adbed2f365d6407d9e3fb6f8101afbe7877082d5b966e86ac8a58619eda10a3337054ae07dcacc72a0a1a28560f5bb3dc581b
SSDEEP

6144:cx736lpc4ZRUyFlI+gftTBlknL2uQiQgka:qL4TZRT+tT3bCnz

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
052542f14d0f19b8f47f4021f7a003c2

Files

052542f14d0f19b8f47f4021f7a003c2
.dll windows:4 windows x86 arch:x86

7144e75d8dc953cb6fd41c7cc5e08592

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

wvsprintfA
CloseWindowStation
CreateWindowExA
DestroyWindow
GetClassNameA
GetWindow
ShowWindow
EnableWindow
GetWindowRect
LoadCursorA
DestroyCursor
PtInRect
GetCursorInfo
SendMessageTimeoutA
CopyRect
MessageBoxA
wsprintfA

shlwapi

SHDeleteKeyA

advapi32

RegRestoreKeyA
RegisterServiceCtrlHandlerExA
RegOpenKeyExW
RegSaveKeyA

kernel32

GetLongPathNameA
GetTempPathA
SetEnvironmentVariableA
GetFileAttributesExA
GetCommandLineA
ExitProcess
IsBadStringPtrW
IsBadReadPtr
ExitThread
RemoveDirectoryA
DeleteFileA
GetSystemDirectoryA
GlobalMemoryStatusEx
LocalAlloc
RaiseException
LoadLibraryA
GetCurrentProcessId
InitializeCriticalSection
GetLastError
lstrcmpiA
GetProcAddress
GetModuleHandleA
GetTickCount
GetLocalTime
GlobalUnlock
GlobalLock
GlobalSize
HeapFree
GetProcessHeap
HeapAlloc
MultiByteToWideChar
FreeLibrary
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
GetCurrentThreadId
GetShortPathNameA
GetTempFileNameA
InterlockedExchange
LeaveCriticalSection
GlobalFree
GlobalAlloc
GetModuleFileNameA
SetUnhandledExceptionFilter
FormatMessageA
VirtualQuery
IsBadWritePtr
GetSystemInfo
GetProcessTimes
GetCurrentProcess

msvcrt

_ftol
atoi
_adjust_fdiv
_initterm
_onexit
__dllonexit
_stricmp
_wcsicmp
_strlwr
_memicmp
_strupr
_beginthreadex
realloc
wcslen
__CxxFrameHandler
free
malloc
_except_handler3
strrchr
strncpy
rand
srand
time
ceil
strchr
_callnewh
strncat
memmove
wcstombs

Exports

Exports

DbgHelpCreateUserDump
DbgHelpCreateUserDumpW
EnumDirTree
EnumerateLoadedModules
EnumerateLoadedModules64
ExtensionApiVersion
FindDebugInfoFile
FindDebugInfoFileEx
FindExecutableImage
FindExecutableImageEx
FindFileInPath
FindFileInSearchPath
GetTimestampForLoadedLibrary
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageNtHeader
ImageRvaToSection
ImageRvaToVa
ImagehlpApiVersion
ImagehlpApiVersionEx
MakeSureDirectoryPathExists
MapDebugInformation
MiniDumpReadDumpStream
MiniDumpWriteDump
SearchTreeForFile
StackWalk
StackWalk64
SymAddSymbol
SymCleanup
SymDeleteSymbol
SymEnumLines
SymEnumSourceFiles
SymEnumSym
SymEnumSymbols
SymEnumSymbolsForAddr
SymEnumTypes
SymEnumerateModules
SymEnumerateModules64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindFileInPath
SymFromAddr
SymFromName
SymFromToken
SymFunctionTableAccess
SymFunctionTableAccess64
SymGetFileLineOffsets64
SymGetHomeDirectory

Sections

.text
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 294B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7144e75d8dc953cb6fd41c7cc5e08592

Headers

File Characteristics

Imports

user32

shlwapi

advapi32

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 104KB - Virtual size: 100KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 294B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 104KB - Virtual size: 100KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 294B

.reloc
Size: 8KB - Virtual size: 7KB