gh0strat | 8ed259ebf59f1d3741f6b97b703da556

Sharing

Copy URL Twitter E-mail

General

Target

8ed259ebf59f1d3741f6b97b703da556
Size

99KB
MD5

8ed259ebf59f1d3741f6b97b703da556
SHA1

206bdce5a922b48de07cc351aed491eb072f1abb
SHA256

77f1c4aa77cba189e35d1e36dd28592c54671639ce233f15cdf7e1eb32dd9135
SHA512

7b055f8f61e4cb0070e5dcfd1dadd9210a7ac966772b243bb526209a0c9535f460255e557085076f6f667fd3bd0bc67fd5a8d86cc2ea722118258d833450c095
SSDEEP

3072:Cd4nyqQqR5KhzTyefRj50hhu0SI7Lu3XI7Loimh2e:Cd4nyu8z2q+hgDQu3XQVmhJ

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8ed259ebf59f1d3741f6b97b703da556

Files

8ed259ebf59f1d3741f6b97b703da556
.dll windows:4 windows x86 arch:x86

ef200f4266ca3d0f2170e8aa72698c4b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

WriteProcessMemory
VirtualAllocEx
FreeLibrary
OpenProcess
GetWindowsDirectoryA
InitializeCriticalSection
Process32Next
Process32First
InterlockedExchange
MoveFileExA
GetLocalTime
ExpandEnvironmentStringsA
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
CreateRemoteThread
UnmapViewOfFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GetStartupInfoA
CreatePipe
LocalSize
lstrcmpiA
GetCurrentThreadId
GetCurrentProcess
GetSystemDirectoryA
GetModuleFileNameA
SetLastError
FreeConsole
SetUnhandledExceptionFilter
GetTickCount
SetErrorMode
OpenEventA
GetVersionExA
GlobalMemoryStatus
DeviceIoControl
MoveFileA
WriteFile
SetFilePointer
ReadFile
CreateFileA
GetFileSize
DeleteFileA
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetDiskFreeSpaceExA
lstrcatA
CreateProcessA
lstrlenA
GetFileAttributesA
CreateDirectoryA
GetLastError
ResetEvent
Sleep
CancelIo
lstrcpyA
VirtualAlloc
GetProcAddress
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
TerminateThread
CloseHandle
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
LoadLibraryA
HeapAlloc

user32

DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
keybd_event
UnhookWindowsHookEx
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
MapVirtualKeyA
CallNextHookEx
GetClipboardData
GetSystemMetrics
LoadCursorA
ReleaseDC
GetCursorInfo
GetCursorPos
SetRect
GetDC
IsWindow
CloseWindow
CreateWindowExA
GetKeyNameTextA
GetActiveWindow
EnumWindows
DispatchMessageA
TranslateMessage
GetMessageA
CharNextA
SetWindowsHookExA
OpenClipboard
MessageBoxA
wsprintfA
SetProcessWindowStation
OpenWindowStationA
EmptyClipboard
GetProcessWindowStation
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
IsWindowVisible
GetWindowThreadProcessId
ExitWindowsEx
GetDesktopWindow

gdi32

CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
DeleteObject

advapi32

RegQueryValueExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegCloseKey
RegQueryValueA
RegOpenKeyExA
RegOpenKeyA
RegisterServiceCtrlHandlerA
SetServiceStatus
RegSetValueExA
RegCreateKeyA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor

shell32

SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_strupr
_stricmp
_strnicmp
_strcmpi
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
calloc
_beginthreadex
strncat
_errno
sprintf
strncmp
strncpy
wcstombs
strchr
atoi
realloc
strrchr
_except_handler3
malloc
free
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z

winmm

waveInAddBuffer
waveOutWrite
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveOutClose
waveOutUnprepareHeader
waveOutReset
waveInClose
waveInUnprepareHeader
waveInReset
waveInStop
waveInStart

ws2_32

WSACleanup
bind
inet_addr
ntohs
inet_ntoa
getsockname
WSAStartup
gethostbyname
closesocket
select
send
setsockopt
WSAIoctl
connect
htons
socket
__WSAFDIsSet
recvfrom
sendto
listen
accept
gethostname
getpeername
recv

msvcp60

?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z

wininet

InternetOpenUrlA
InternetOpenA
InternetReadFile
InternetCloseHandle

msvfw32

ICSeqCompressFrame
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd
ICSeqCompressFrameStart

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

psapi

GetModuleFileNameExA
EnumProcessModules

Exports

Exports

JunkExport
MadeByWHM
ServiceMain
_JunkExport
__JunkExport

Sections

.text
Size: 79KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ef200f4266ca3d0f2170e8aa72698c4b

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

winmm

ws2_32

msvcp60

wininet

msvfw32

imm32

psapi

Exports

Exports

Sections

.text Size: 79KB - Virtual size: 82KB

.rdata Size: 13KB - Virtual size: 13KB

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 79KB - Virtual size: 82KB

.rdata
Size: 13KB - Virtual size: 13KB

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 5KB - Virtual size: 4KB