gh0strat | 08998538e5a207efc311ad4faa66ed85

Sharing

Copy URL Twitter E-mail

General

Target

08998538e5a207efc311ad4faa66ed85
Size

107KB
MD5

08998538e5a207efc311ad4faa66ed85
SHA1

0e48b886a4e362357730fc1aa2a4f75ef2c7f344
SHA256

581926b801791c2ca81f40cc5404eafbdac0c91c2e3b1054bb75c6d20e87f120
SHA512

d9cd80c4ff5ecca8ee510bc8500b5acf8ada906f05aa15465c4959d608a5ed94129522165c653fbcf73bb97245b1786b54b9485b8f4e111f0a112fb76eeaa689
SSDEEP

3072:WxoxHzggFKOXgF74nRnqHD8MeE5HWc9c2LfRFn:fMgMO5sDhb52OcefRh

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
08998538e5a207efc311ad4faa66ed85

Files

08998538e5a207efc311ad4faa66ed85
.exe windows:4 windows x86 arch:x86

9d55d247dc27a84b12673fe7ac2727e8

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatus
SetLastError
GetModuleHandleA
SetFileTime
GetFileTime
MoveFileA
GlobalFree
OpenEventA
SetErrorMode
CreateMutexA
GetTempPathA
SetHandleInformation
FreeConsole
ExitProcess
GetCurrentThreadId
GetCommandLineA
Process32Next
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
MoveFileExA
GetSystemTime
UnmapViewOfFile
CreateFileMappingA
ReleaseMutex
MapViewOfFile
ReadFile
GetFileSize
OpenProcess
FindFirstFileA
FindNextFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
CreateDirectoryA
GetLastError
DeleteFileA
CreateFileA
SetFilePointer
WriteFile
LocalSize
LocalFree
GetFileAttributesA
LocalReAlloc
LocalAlloc
GetVersionExA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
MultiByteToWideChar
GetWindowsDirectoryA
lstrcpyA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
GetProcessHeap
HeapAlloc
GetCurrentProcessId
LoadLibraryA
GetProcAddress
FreeLibrary
GetLocalTime
GetTickCount
Sleep
CancelIo
InterlockedExchange
ResetEvent
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
OutputDebugStringA
WinExec
GetSystemDirectoryA
GetCurrentProcess
RemoveDirectoryA
GetModuleFileNameA
ResumeThread
SetEvent
WaitForSingleObject
CreateEventA
TerminateThread
CloseHandle
SetFileAttributesA

user32

MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
BlockInput
OpenWindowStationA
GetProcessWindowStation
PostThreadMessageA
keybd_event
GetWindowThreadProcessId
IsWindowVisible
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
IsWindow
CloseWindow
CreateWindowExA
PostMessageA
OpenDesktopA
DestroyCursor
LoadCursorA
DispatchMessageA
SendMessageA
GetInputState
SystemParametersInfoA
SetProcessWindowStation
TranslateMessage
GetMessageA
wsprintfA
CharNextA
MessageBoxA
GetWindowTextA

gdi32

DeleteObject
BitBlt
CreateDIBSection
SelectObject
CreateCompatibleBitmap
GetDIBits
CreateCompatibleDC
DeleteDC

advapi32

IsValidSid
LsaClose
LookupAccountNameA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
LsaOpenPolicy
LsaFreeMemory
RegQueryValueA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
OpenProcessToken
CloseEventLog
ClearEventLogA
OpenEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegCreateKeyExA
RegCreateKeyA
SetServiceStatus
RegOpenKeyA
CreateServiceA
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
QueryServiceConfigA
EnumServicesStatusA
LookupAccountSidA
GetTokenInformation
LsaRetrievePrivateData

shell32

ShellExecuteA
SHGetSpecialFolderPathA
SHGetFileInfoA

shlwapi

SHDeleteKeyA
PathFindExtensionA

msvcrt

calloc
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
strlen
??0exception@@QAE@ABV0@@Z
_strcmpi
_strnicmp
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
memcpy
_beginthreadex
wcstombs
srand
strncmp
atoi
realloc
strncat
fopen
fwrite
fclose
strrchr
_except_handler3
free
malloc
strchr
strncpy
sprintf
puts
putchar
rand
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z

winmm

waveOutClose
waveInStop
waveOutUnprepareHeader
waveInStart
waveInPrepareHeader
waveInOpen
waveOutReset
waveInReset
waveInUnprepareHeader
waveOutWrite
waveInAddBuffer
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveInClose

ws2_32

WSACleanup
WSAStartup
WSAIoctl
connect
htons
gethostbyname
socket
gethostname
getsockname
htonl
WSASocketA
sendto
inet_addr
send
closesocket
recv
setsockopt
select

wininet

InternetOpenUrlA
InternetReadFile
InternetCloseHandle
InternetOpenA

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameEnd
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICCompressorFree
ICClose

psapi

EnumProcessModules
GetModuleFileNameExA

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA

Sections

.text
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9d55d247dc27a84b12673fe7ac2727e8

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

winmm

ws2_32

wininet

avicap32

msvfw32

psapi

wtsapi32

Sections

.text Size: 78KB - Virtual size: 78KB

.rdata Size: 14KB - Virtual size: 14KB

.data Size: 7KB - Virtual size: 8KB

.rsrc Size: 6KB - Virtual size: 5KB

.text
Size: 78KB - Virtual size: 78KB

.rdata
Size: 14KB - Virtual size: 14KB

.data
Size: 7KB - Virtual size: 8KB

.rsrc
Size: 6KB - Virtual size: 5KB