gh0strat | mother[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

mother.exe
Size

1.1MB
MD5

74902e2aa8f543d08dd3ce6b160394c4
SHA1

ed261f760494c58b6ec8ae75986042072a0bb1c0
SHA256

0a21c4c0d6284b6bb9f8969745e2bd4287cb92f7c3464784793679dc554026ab
SHA512

4083ef42fc5266c739a2ae889dde892d8db90a3be3be4ad053e825e18bd6969ae6a43e9f8f5cebe4b6a5fdb275076ccb762034b722eaa64e741f958c52b4c8d9
SSDEEP

24576:wFipiBU7qaWf36jWaidO3haWqeBJM514ZBAOyMtRcaISFbi:8i6fKjjlW

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
mother.exe

Files

mother.exe
.exe windows:4 windows x86 arch:x86

0135cdfbdba9db55c8c4aefd86de74f7

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcmpA
lstrcpynA
SystemTimeToTzSpecificLocalTime
GetPrivateProfileStringA
GetComputerNameA
GlobalMemoryStatus
GetPriorityClass
SuspendThread
Thread32First
Thread32Next
OpenThread
ResumeThread
GetProcessId
CreateRemoteThread
Module32First
lstrcmpiA
Module32Next
lstrcpyW
GetCurrentThreadId
ExpandEnvironmentStringsA
DuplicateHandle
CreateMutexA
OutputDebugStringA
GetEnvironmentVariableA
GetCurrentThread
GetModuleFileNameW
GetSystemDirectoryW
GetSystemInfo
GlobalMemoryStatusEx
LoadLibraryW
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalSize
MultiByteToWideChar
WideCharToMultiByte
GetWindowsDirectoryA
AttachConsole
GetConsoleProcessList
GetCurrentProcessId
FreeConsole
GetCommandLineA
GetTickCount
TerminateThread
GetProcAddress
WinExec
OpenProcess
TerminateProcess
GetVersionExA
GetModuleFileNameA
CopyFileA
MoveFileExA
Beep
DeviceIoControl
GetVersion
ExitProcess
SetEnvironmentVariableA
CompareStringW
CompareStringA
SetStdHandle
IsBadCodePtr
GetStringTypeW
Process32First
Process32Next
CreateToolhelp32Snapshot
GetFileAttributesExA
FileTimeToSystemTime
MoveFileA
SetFileAttributesA
RemoveDirectoryA
FindFirstFileA
FindNextFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
CreateProcessA
lstrcpyA
CreateDirectoryA
GetLastError
DeleteFileA
GetCurrentProcess
IsWow64Process
SetFilePointer
WriteFile
LocalSize
GetSystemDirectoryA
GetFileAttributesA
CreateFileA
GetFileSize
ReadFile
lstrlenA
LocalReAlloc
LocalAlloc
LocalFree
FreeLibrary
IsBadReadPtr
VirtualProtect
HeapReAlloc
HeapAlloc
GetProcessHeap
HeapFree
Sleep
CancelIo
SetEvent
ResetEvent
CreateEventA
GetModuleHandleA
GetLocalTime
GlobalAlloc
GlobalLock
GlobalFree
GlobalUnlock
CreateThread
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
InterlockedExchange
WaitForSingleObject
CloseHandle
InterlockedDecrement
FileTimeToLocalFileTime
SetLastError
FlushFileBuffers
LockFile
GetStringTypeA
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
UnlockFile
SetEndOfFile
LoadLibraryA
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
LCMapStringW
LCMapStringA
IsBadWritePtr
HeapCreate
HeapDestroy
HeapSize
GetACP
GetSystemTime
GetTimeZoneInformation
GetFullPathNameA
GetStartupInfoA
RaiseException
RtlUnwind
GetCurrentDirectoryA
GetOEMCP
GetCPInfo
GlobalFlags
GetProcessVersion
GlobalGetAtomNameA
GlobalAddAtomA
GlobalFindAtomA
GlobalDeleteAtom
TlsGetValue
TlsSetValue
GlobalReAlloc
GlobalHandle
TlsAlloc
GetFileTime
InterlockedIncrement

user32

ShowWindow
wsprintfA
MessageBoxA
GetWindowLongA
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
PostQuitMessage
DispatchMessageA
SendMessageA
SetWindowLongA
LoadIconA
SetClassLongA
DestroyWindow
CharNextA
GetMenuItemCount
TranslateMessage
IsDialogMessageA
GetMessageA
EnumWindows
ExitWindowsEx
SwapMouseButton
GetWindowRect
MoveWindow
FindWindowA
ChangeDisplaySettingsA
GetSystemMetrics
GetDC
LoadCursorA
DestroyCursor
BlockInput
ReleaseDC
SystemParametersInfoA
keybd_event
MapVirtualKeyA
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
PostMessageA
SetCapture
WindowFromPoint
SetWindowPos
GetDlgItem
SetCursorPos
GetCursorInfo
GetCursorPos
CreateDialogIndirectParamA
SetDlgItemTextA
SetWindowTextA
GetWindowTextLengthA
SetFocus
OpenInputDesktop
CloseDesktop
GetThreadDesktop
GetUserObjectInformationA
SetThreadDesktop
IsWindowVisible
GetWindowThreadProcessId
WaitForInputIdle
RegisterClassA
PostThreadMessageA
GetInputState
RegisterClassExA
CharUpperA
LoadStringA
UnhookWindowsHookEx
EnableWindow
IsWindowEnabled
GetLastActivePopup
GetParent
SetWindowsHookExA
PeekMessageA
CallNextHookEx
GetNextDlgTabItem
GetFocus
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
LoadBitmapA
GetMenuCheckMarkDimensions
GetWindowPlacement
IsIconic
RegisterWindowMessageA
SetForegroundWindow
GetMessagePos
GetMessageTime
RemovePropA
CallWindowProcA
GetPropA
SetPropA
GetClassLongA
GetDlgCtrlID
GetMenuItemID
GetSubMenu
SetRect
GetMenu
GetClassInfoA
WinHelpA
GetCapture
GetTopWindow
CopyRect
GetClientRect
AdjustWindowRectEx
GetSysColor
MapWindowPoints
GetSysColorBrush
PtInRect
ClientToScreen
DestroyMenu
TabbedTextOutA
DrawTextA
GrayStringA
CreateWindowExA
DefWindowProcA
GetLastInputInfo
GetWindow
GetClassNameA
GetDesktopWindow
GetDlgItemTextA

gdi32

CreateCompatibleBitmap
GetDIBits
CreateRectRgnIndirect
CombineRgn
GetRegionData
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
GetDeviceCaps
CreateBitmap
GetClipBox
SetTextColor
SetBkColor
GetObjectA
SaveDC
RestoreDC
GetStockObject
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
PtVisible
RectVisible
Escape
ExtTextOutA
TextOutA

advapi32

RegQueryValueExA
GetTokenInformation
LookupAccountSidA
AbortSystemShutdownA
RegOpenKeyA
StartServiceCtrlDispatcherA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
EnumServicesStatusA
QueryServiceConfigA
QueryServiceConfig2A
QueryServiceStatus
ControlService
LockServiceDatabase
ChangeServiceConfigA
UnlockServiceDatabase
RegCreateKeyExA
RegQueryInfoKeyA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegEnumKeyExA
RegEnumValueA
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
DeleteService
SetServiceStatus
OpenSCManagerA
OpenServiceA
CloseServiceHandle
StartServiceA
RegCreateKeyA
RegSetValueExA
OpenEventLogA
ClearEventLogA
CloseEventLog
GetUserNameA
RegOpenKeyExA

shell32

ShellExecuteExA
SHGetFolderPathA
SHGetFileInfoA
SHGetSpecialFolderPathA

ole32

CoCreateGuid
CoInitialize
CoCreateInstance
CoUninitialize

oleaut32

SysFreeString

comctl32

ord17

winmm

mciSendStringA
waveInGetNumDevs

iphlpapi

GetIfTable

ws2_32

inet_addr
getsockname
bind
gethostname
accept
listen
sendto
recvfrom
__WSAFDIsSet
ioctlsocket
ntohs
inet_ntoa
closesocket
select
recv
socket
gethostbyname
htons
connect
setsockopt
WSAIoctl
WSACleanup
WSAStartup
getpeername
send

dwmapi

ord102
DwmIsCompositionEnabled

shlwapi

PathFindFileNameA
PathUnquoteSpacesA
PathRemoveArgsA
PathGetArgsA
SHDeleteKeyA

netapi32

NetUserSetInfo
NetUserGetLocalGroups
NetApiBufferFree
NetUserAdd
NetLocalGroupAddMembers
NetUserEnum
NetUserGetInfo
NetUserDel

psapi

GetModuleFileNameExA
GetProcessMemoryInfo

wininet

HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
DeleteUrlCacheEntry
InternetGetConnectedState
InternetReadFile

wtsapi32

WTSFreeMemory
WTSLogoffSession
WTSEnumerateSessionsA
WTSQuerySessionInformationW
WTSDisconnectSession
WTSQuerySessionInformationA

winspool.drv

OpenPrinterA
DocumentPropertiesA
ClosePrinter

comdlg32

GetFileTitleA

Exports

Exports

AsingleDLL
DllFuUpgradrs
DllFuUpgradrs1

Sections

.text
Size: 680KB - Virtual size: 676KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rotext
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 268KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 72KB - Virtual size: 521KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0135cdfbdba9db55c8c4aefd86de74f7

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

comctl32

winmm

iphlpapi

ws2_32

dwmapi

shlwapi

netapi32

psapi

wininet

wtsapi32

winspool.drv

comdlg32

Exports

Exports

Sections

.text Size: 680KB - Virtual size: 676KB

.rodata Size: 12KB - Virtual size: 11KB

.rotext Size: 108KB - Virtual size: 107KB

.rdata Size: 268KB - Virtual size: 265KB

.data Size: 72KB - Virtual size: 521KB

.rsrc Size: 16KB - Virtual size: 12KB

.text
Size: 680KB - Virtual size: 676KB

.rodata
Size: 12KB - Virtual size: 11KB

.rotext
Size: 108KB - Virtual size: 107KB

.rdata
Size: 268KB - Virtual size: 265KB

.data
Size: 72KB - Virtual size: 521KB

.rsrc
Size: 16KB - Virtual size: 12KB