gh0strat | 771936906a87621f6ef6cf5d9c79dce8

Sharing

Copy URL

Twitter E-mail

General

Target

771936906a87621f6ef6cf5d9c79dce8
Size

131KB
MD5

771936906a87621f6ef6cf5d9c79dce8
SHA1

43f540522ae55d32882ab784e914c248af320d6a
SHA256

f24aa7386e2a8fc5ddadad9cf129bb62215eeb911f71f3110e98eba4beab08b2
SHA512

fa109c53e5d3dbd4f5447b34e395ed020ebb8b20c0c3061a5fb6d377348dac2d67fe69d5291d488b8ef39c20bd037da86752d2a8c400d4a387f22a2cf1b34a5a
SSDEEP

3072:248u3PBvRifhSQA/xCdK567EJSCxMelWSdJ09d/:2NkPKfKz5E7Cx1lFq/

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
771936906a87621f6ef6cf5d9c79dce8

Files

771936906a87621f6ef6cf5d9c79dce8
.dll windows:4 windows x86 arch:x86

0c69eb384b062b5f11de68d05c3856ab

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

FreeLibrary
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
GetLastError
CreateDirectoryA
lstrlenA
GetDiskFreeSpaceExA
FindClose
LocalFree
LocalReAlloc
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
WriteFile
MoveFileA
lstrcatA
SetFilePointer
GetModuleFileNameA
SetLastError
CopyFileA
GetCurrentProcess
VirtualAllocEx
GetLocalTime
MoveFileExA
GetTickCount
HeapFree
GetProcessHeap
HeapAlloc
EnterCriticalSection
InterlockedExchange
VirtualFree
GetFileAttributesA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
LocalSize
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
DeviceIoControl
GetSystemInfo
GetModuleHandleA
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
CreateRemoteThread
OpenProcess
Module32Next
Module32First
LeaveCriticalSection
DeleteCriticalSection
CreateThread
ResumeThread
RaiseException
SetEvent
WaitForSingleObject
DeleteFileA
Sleep
CancelIo
VirtualAlloc
ResetEvent
LoadLibraryA
GetProcAddress
lstrcpyA
CloseHandle
UnmapViewOfFile
CreateEventA

user32

CloseDesktop
ExitWindowsEx
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
GetCursorPos
GetCursorInfo
ReleaseDC
GetDesktopWindow
GetDC
SetRect
GetSystemMetrics
GetClipboardData
OpenClipboard
EmptyClipboard
SetThreadDesktop
mouse_event
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
keybd_event
CloseWindow
PostMessageA
GetUserObjectInformationA
PostQuitMessage
DispatchMessageA
TranslateMessage
GetMessageA
CloseClipboard
wsprintfA
CharNextA
SetClipboardData
MessageBoxA
OpenInputDesktop
GetThreadDesktop
LoadCursorA
LoadIconA
RegisterClassA
CreateWindowExA
ShowWindow
UpdateWindow
UnhookWindowsHookEx
CallNextHookEx
GetActiveWindow
GetKeyState
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
SendMessageA
DefWindowProcA
OpenDesktopA
IsWindow
DestroyCursor

gdi32

CreateDIBSection
SelectObject
GetStockObject
CreateCompatibleBitmap
GetDIBits
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt

shell32

SHGetSpecialFolderPathA
SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_snprintf
_beginthreadex
wcstombs
atol
_strcmpi
strchr
strncat
sprintf
strncmp
atoi
realloc
calloc
fwrite
fclose
strncpy
strrchr
malloc
free
_except_handler3
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
_initterm
_adjust_fdiv
_strnset
_strrev
_stricmp
_strnicmp
fopen

winmm

waveInStart
waveInAddBuffer
waveInPrepareHeader
waveOutPrepareHeader
waveInGetNumDevs
waveOutOpen

userenv

GetProfilesDirectoryA
GetUserProfileDirectoryA

msvcp60

?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

msvfw32

ICClose
ICSendMessage
ICSeqCompressFrameStart
ICSeqCompressFrame
ICCompressorFree
ICSeqCompressFrameEnd
ICOpen

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationA

Exports

Exports

CodeMain
CodeService
MainCode
MainService
ServiceCode
ServiceMain

Sections

.text
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0c69eb384b062b5f11de68d05c3856ab

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

shlwapi

msvcrt

winmm

userenv

msvcp60

imm32

avicap32

msvfw32

wtsapi32

Exports

Exports

Sections

.text Size: 95KB - Virtual size: 94KB

.rdata Size: 15KB - Virtual size: 14KB

.data Size: 11KB - Virtual size: 25KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 95KB - Virtual size: 94KB

.rdata
Size: 15KB - Virtual size: 14KB

.data
Size: 11KB - Virtual size: 25KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 7KB - Virtual size: 7KB