gh0strat | 4c1c9583173c62d18f9df505899a06f7

Sharing

Copy URL Twitter E-mail

General

Target

4c1c9583173c62d18f9df505899a06f7
Size

92KB
MD5

4c1c9583173c62d18f9df505899a06f7
SHA1

ea46f04aa84f32b2e143865640626958132ff073
SHA256

5d9de1085bf41ebd4e7f272ace0b74977a9e2eb0c38d91a233742dcc9d89ece4
SHA512

ff0133154ab56c2b2342a120b9f0a3f6d04957a990cc0485ee8d142fab2578161d53307205c82f08d67e858c95d8cbfe24ef944a44df347b730960b8e2f8687c
SSDEEP

1536:XvGvbXTXgHBJdXUx7qd3cAykfhPOSYZRI7XfS0y/iyn:uTkHBJdyqd3LyWhPO3DI7XfSV//n

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4c1c9583173c62d18f9df505899a06f7

Files

4c1c9583173c62d18f9df505899a06f7
.dll windows:4 windows x86 arch:x86

88c401af3d3064da5f704364b028af92

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
FreeLibrary
GetProcAddress
LoadLibraryA
MoveFileExA
GetTickCount
GetLocalTime
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
SetFilePointer
GetSystemDirectoryA
PeekNamedPipe
WaitForMultipleObjects
OutputDebugStringA
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
ReadFile
GetFileSize
RemoveDirectoryA
SetLastError
GetModuleFileNameA
DisconnectNamedPipe
MoveFileA
FindFirstFileA
FindNextFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
DeleteFileA
CancelIo
InterlockedExchange
ResetEvent
CreateFileA
WriteFile
GetCurrentThreadId
GetVersionExA
lstrcpyA
lstrcmpiA
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
GetCurrentProcess
GetLastError
CreateToolhelp32Snapshot
LocalAlloc
Process32First
lstrlenA
LocalReAlloc
Process32Next
OpenProcess
TerminateProcess
Sleep
LocalSize
LocalFree
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
CreateEventA
lstrcatA
GetProcessHeap
HeapAlloc
CreatePipe
HeapFree

user32

UnhookWindowsHookEx
LoadCursorA
DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
CharNextA
SetCursorPos
mouse_event
SetWindowsHookExA
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
PostMessageA
wsprintfA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
GetKeyNameTextA
CallNextHookEx
CloseClipboard
GetActiveWindow
DispatchMessageA
TranslateMessage
GetWindowTextA
EnumWindows
CloseDesktop
SetThreadDesktop
WindowFromPoint
GetMessageA
ExitWindowsEx
GetWindowThreadProcessId
IsWindowVisible
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
CreateWindowExA
CloseWindow
IsWindow
OpenInputDesktop

gdi32

CreateCompatibleBitmap
GetDIBits
SelectObject
CreateDIBSection
CreateCompatibleDC
DeleteObject
BitBlt
DeleteDC

advapi32

LookupPrivilegeValueA
CloseEventLog
RegOpenKeyA
SetServiceStatus
RegisterServiceCtrlHandlerA
OpenEventLogA
FreeSid
RegCloseKey
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
RegOpenKeyExA
RegEnumValueA
RegEnumKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegCreateKeyExA
AdjustTokenPrivileges
OpenProcessToken
RegQueryValueA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegCreateKeyA
ClearEventLogA

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_strnicmp
_strcmpi
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
wcstombs
atoi
realloc
strncpy
strrchr
malloc
free
_CxxThrowException
_beginthreadex
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
strchr
strncat
_except_handler3
_itoa

winmm

waveInReset
waveInStop
waveOutWrite
waveInStart
waveInUnprepareHeader
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveInClose
waveOutReset
waveOutClose
waveInAddBuffer
waveOutGetNumDevs
waveOutUnprepareHeader

psapi

EnumProcessModules
GetModuleFileNameExA

ws2_32

socket
gethostname
WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
send
ntohs
recv
closesocket
select
getsockname

msvcp60

?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

netapi32

Netbios

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

msvfw32

ICSeqCompressFrameEnd
ICCompressorFree
ICClose
ICOpen
ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage

Exports

Exports

AntiKaba
HOOK
ServiceMain

Sections

.text
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

88c401af3d3064da5f704364b028af92

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

winmm

psapi

ws2_32

msvcp60

imm32

netapi32

wininet

avicap32

msvfw32

Exports

Exports

Sections

.text Size: 63KB - Virtual size: 62KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 6KB - Virtual size: 7KB

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 63KB - Virtual size: 62KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 6KB - Virtual size: 7KB

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 4KB