gh0strat | xd[.]ex_

Sharing

Copy URL Twitter E-mail

General

Target

xd.ex_
Size

148KB
MD5

5765acc80262f3a96bba079178fa13ea
SHA1

a52f2a8e86d712d477f25e9a41be9f150bd612a1
SHA256

873df098203c98f2364321fa1295a8cb3542af83727b9dc335829f5ba0dc1c97
SHA512

7399641434c42d23d0afea1e6937d5494e29222f860efb5cb03968dc7ab804f75deb792317705c7e057a35ed39de8002c5fe6ebdc99714e3772b790538d47c69
SSDEEP

3072:Ca9hda3MN+xxziSpdEMFI+9n4zDs0MZiTKk2HKAXeasTw/r:Cghdac8ziJ0ZQnaOer

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
xd.ex_

Files

xd.ex_
.exe windows:4 windows x86 arch:x86

a82262c49018b03ea9113f13220d7048

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

OpenProcess
ExitThread
GetTickCount
MultiByteToWideChar
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
GetSystemDirectoryA
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
ReleaseMutex
OpenEventA
SetErrorMode
GetModuleFileNameA
ExitProcess
CreateMutexA
OutputDebugStringA
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
GetCurrentThreadId
MoveFileA
GetFileSize
WriteFile
SetFilePointer
ReadFile
CreateFileA
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateEventA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
FreeLibrary
GetWindowsDirectoryA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
LoadLibraryA
GetProcAddress
Sleep
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CloseHandle
TerminateProcess
GetModuleHandleA
RaiseException

gdi32

DeleteObject
CreateCompatibleBitmap
GetDIBits
BitBlt
DeleteDC
CreateCompatibleDC
CreateDIBSection
SelectObject

advapi32

GetTokenInformation
LookupAccountSidA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
OpenProcessToken
AdjustTokenPrivileges
OpenEventLogA
ClearEventLogA
CloseEventLog
RegCreateKeyExA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueA
RegCloseKey
LsaFreeMemory
LsaOpenPolicy
LsaRetrievePrivateData
LsaClose
LookupAccountNameA
IsValidSid

shell32

SHGetFileInfoA

msvcrt

??1type_info@@UAE@XZ
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
time
calloc
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_strnicmp
printf
_beginthreadex
sprintf
atol
strncat
exit
wcscpy
_errno
strncmp
__setusermatherr
srand
rand
atoi
strncpy
strrchr
_except_handler3
free
malloc
strchr
_CxxThrowException
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??3@YAXPAX@Z
_initterm
??2@YAPAXI@Z
_strcmpi

winmm

waveOutPrepareHeader
waveOutGetNumDevs
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveOutOpen
waveOutClose
waveOutUnprepareHeader
waveOutReset
waveInClose
waveInUnprepareHeader
waveInAddBuffer
waveInStart
waveOutWrite
waveInStop
waveInReset

mfc42

ord922
ord858
ord6663
ord860
ord4278
ord939
ord6877
ord540
ord2818
ord800
ord924
ord926
ord537
ord6648
ord4129
ord2764
ord535

ws2_32

WSAGetLastError
__WSAFDIsSet
recvfrom
listen
accept
getpeername
bind
getsockname
gethostname
inet_ntoa
WSASocketA
inet_addr
htonl
sendto
send
select
closesocket
recv
ntohs
socket
gethostbyname
htons
connect
setsockopt
WSAStartup
WSACleanup
WSAIoctl

msvcp60

?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

netapi32

NetLocalGroupAddMembers
NetUserAdd

wininet

InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile

msvfw32

ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd

psapi

GetModuleFileNameExA
EnumProcessModules

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA

Sections

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 124KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a82262c49018b03ea9113f13220d7048

Headers

File Characteristics

Imports

kernel32

gdi32

advapi32

shell32

msvcrt

winmm

mfc42

ws2_32

msvcp60

netapi32

wininet

msvfw32

psapi

wtsapi32

Sections

.rdata Size: 16KB - Virtual size: 14KB

.data Size: 124KB - Virtual size: 128KB

.rsrc Size: 4KB - Virtual size: 124B

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 124KB - Virtual size: 128KB

.rsrc
Size: 4KB - Virtual size: 124B