gh0strat | 3e9615592140c43bb154f58d05cc8293 | Triage

Sharing

General

Target

3e9615592140c43bb154f58d05cc8293
Size

112KB
MD5

3e9615592140c43bb154f58d05cc8293
SHA1

57749b781a3ea3e6b7ee550668ca9aace595c07d
SHA256

41aa08f97af8321baaf7862b9fa22918517ee9ed7dd402b884a82f704245dd80
SHA512

0a3861e048e15ef53556f33d87d189b68eb60e22891921de1228c2d05f23327129ffa459e5af10f467b48062911df4cc6ca628205d495bef355d59fb04f4d88d
SSDEEP

1536:hHFHwdnuClrBw1GCa7C9kTpclySbgxytz6G8YEOm+X:hlHwuwrO1GLmDynxytf8zl+X

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3e9615592140c43bb154f58d05cc8293

Files

3e9615592140c43bb154f58d05cc8293
.dll windows:4 windows x86 arch:x86

170696453bd0a9ea1322700d94f2dbcc

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetModuleHandleA
GetProcAddress
SuspendThread
ResumeThread
OpenThread
lstrcpyA
lstrcmpiA
lstrlenA

psapi

GetModuleInformation

msvcrt

??3@YAXPAX@Z
memmove
ceil
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
_beginthreadex
realloc
free
strncpy
malloc
wcstombs
_access
_except_handler3
_initterm
_adjust_fdiv
_stricmp

wtsapi32

WTSQueryUserToken

iphlpapi

SetTcpEntry

Exports

Exports

FUCC
FUCK
RMain
ServiceMain

Sections

.text
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ