gh0strat | 410c831736ee641fdcaf4663f30bafab

Sharing

Copy URL Twitter E-mail

General

Target

410c831736ee641fdcaf4663f30bafab
Size

112KB
MD5

410c831736ee641fdcaf4663f30bafab
SHA1

113ebe8ba142e9b15d24228744fc5d0ce00a228b
SHA256

5d24d415cd1aea8fe29dc9b4702b9f46ded71e1f3493b6d69776e12ca6904e68
SHA512

8a5b7820d12e21ee06dc7231b66ab3ac622d103fe8125258b5f6d9104831d39f70412a71fd04194343ac005df0c23300be2ad697ffa6a29a683d1421eb76a57d
SSDEEP

3072:4hmOQs677cQPWynE4FAxy1v8CKE+gccclcsoWMU:Yn6B+yE4CypxKE+VcclcsoWM

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
410c831736ee641fdcaf4663f30bafab

Files

410c831736ee641fdcaf4663f30bafab
.exe windows:4 windows x86 arch:x86

e9a013b1889226a69155fa16caee55cf

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

avicap32

capGetDriverDescriptionA

kernel32

LocalFree
FindFirstFileA
LocalAlloc
MoveFileA
GlobalFree
FindClose
GlobalLock
GlobalAlloc
OpenProcess
Process32Next
GetLogicalDriveStringsA
GetVolumeInformationA
GetDriveTypeA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
DeleteFileA
GlobalUnlock
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
FreeLibrary
GetWindowsDirectoryA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
InterlockedExchange
lstrcpyA
ResetEvent
LoadLibraryA
GetProcAddress
LeaveCriticalSection
GetModuleHandleA
GetStartupInfoA
RaiseException
GetLastError

gdi32

GetDIBits
BitBlt
DeleteObject
DeleteDC
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

ClearEventLogA
LookupAccountNameA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegOpenKeyA
RegQueryValueExA
OpenEventLogA
LsaClose
CloseEventLog
RegOpenKeyExA
RegQueryValueA
RegCloseKey
LsaFreeMemory
LsaOpenPolicy
LsaRetrievePrivateData
IsValidSid

shell32

SHGetFileInfoA
SHGetSpecialFolderPathA

msvcrt

strlen
??0exception@@QAE@ABV0@@Z
_strcmpi
??1type_info@@UAE@XZ
??3@YAXPAX@Z
memmove
ceil
_ftol
strstr
__CxxFrameHandler
??2@YAPAXI@Z
strchr
malloc
free
_except_handler3
strrchr
exit
atoi
_beginthreadex
calloc
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_CxxThrowException
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
memcpy

psapi

EnumProcessModules
GetModuleFileNameExA

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

Sections

.text
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e9a013b1889226a69155fa16caee55cf

Headers

File Characteristics

Imports

avicap32

kernel32

gdi32

advapi32

shell32

msvcrt

psapi

wtsapi32

Sections

.text Size: 64KB - Virtual size: 63KB

.rdata Size: 12KB - Virtual size: 9KB

.data Size: 12KB - Virtual size: 11KB

.rsrc Size: 20KB - Virtual size: 20KB

.text
Size: 64KB - Virtual size: 63KB

.rdata
Size: 12KB - Virtual size: 9KB

.data
Size: 12KB - Virtual size: 11KB

.rsrc
Size: 20KB - Virtual size: 20KB