gh0strat | tmp

Sharing

Copy URL Twitter E-mail

General

Target

tmp
Size

108KB
MD5

f494ebf692ec096ad75b3417e2a63ee0
SHA1

d3762b977035d1dfbcacd46ccfc0d00d2f490f7c
SHA256

225cb82545dfbd70f8b05b95004b3eaac4e2f9ec408c5d72200ad36a39b969b9
SHA512

e31a03d4f8a04d0d4adc0ca6ed858823e48429674b7d629de919deb2764cbdae758f4a45a708e505528f8f530f6254af00ce3beff103f1c1b622b892e5aa2ce3
SSDEEP

1536:ongBItTzXcG6ZO/8RrU+cNCy65KiCUf6IDh9AjLo5ZY5WKQaSno2dMpFI149+/:ugBIpQxykrUTNCH5KY6DXXUo2QIi9I

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

microsoftel.com

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
tmp

Files

tmp
.dll windows:4 windows x86 arch:x86

9ddeea813de9678451f86a8188078ef2

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrcmpiA
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
HeapFree
VirtualProtect
GetProcessHeap
HeapAlloc
GlobalMemoryStatusEx
GetModuleHandleA
GetLastError
CreateProcessA
FreeLibrary
GetCurrentProcessId
SetPriorityClass
GetProcAddress
GetCurrentProcess
ReadFile
ExitProcess
GetVersionExA
GetTickCount
WinExec
LocalAlloc
LocalSize
LocalFree
GetModuleFileNameA
GetFileAttributesA
CopyFileA
MoveFileExA
CreateDirectoryA
SetFileAttributesA
LoadLibraryA
CreateToolhelp32Snapshot
Process32First
Process32Next
OpenProcess
TerminateProcess
FindFirstFileA
DeleteFileA
FindNextFileA
FindClose
RemoveDirectoryA
lstrcatA
GetLocalTime
GetSystemDirectoryA
CreateFileA
GetFileSize
SetFilePointer
lstrlenA
WriteFile
CreateThread
OutputDebugStringA
lstrcpyA
Sleep
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
VirtualFree
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
TlsAlloc
GlobalFree
GlobalUnlock
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalAlloc
TlsSetValue
LocalReAlloc
TlsGetValue
lstrcpynA
GetVersion
GetCurrentThreadId
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetProcessVersion
lstrcmpA
GlobalFlags
GetCPInfo
GetOEMCP

user32

CopyRect
GetClientRect
AdjustWindowRectEx
SetFocus
GetSysColor
MapWindowPoints
PostMessageA
LoadIconA
GetTopWindow
SetWindowTextA
LoadCursorA
GetSysColorBrush
ReleaseDC
GetDC
PtInRect
ClientToScreen
PostQuitMessage
DestroyMenu
TabbedTextOutA
DrawTextA
GrayStringA
GetCapture
WinHelpA
GetClassInfoA
RegisterClassA
GetMenu
GetMenuItemCount
GetSubMenu
GetMenuItemID
GetDlgItem
GetDlgCtrlID
DestroyWindow
CreateWindowExA
GetClassLongA
SetPropA
GetPropA
CallWindowProcA
RemovePropA
DefWindowProcA
GetMessageTime
GetMessagePos
SetForegroundWindow
SetWindowLongA
SetWindowPos
RegisterWindowMessageA
SystemParametersInfoA
IsIconic
GetWindowPlacement
GetWindowRect
GetMenuCheckMarkDimensions
LoadBitmapA
GetMenuState
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetFocus
GetNextDlgTabItem
DispatchMessageA
CallNextHookEx
PeekMessageA
SetWindowsHookExA
GetParent
GetLastActivePopup
IsWindowEnabled
GetLastInputInfo
GetSystemMetrics
ChangeDisplaySettingsA
FindWindowA
GetClassNameA
GetWindow
GetKeyState
GetWindowLongA
SendMessageA
MessageBoxA
EnableWindow
UnhookWindowsHookEx
LoadStringA
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
wsprintfA

advapi32

DeleteService
RegQueryValueA
RegisterServiceCtrlHandlerA
SetServiceStatus
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserA
OpenProcessToken
RegOpenKeyExA
RegSetValueExA
RegCloseKey
OpenSCManagerA
OpenServiceA
OpenEventLogA
ClearEventLogA
CloseEventLog
CloseServiceHandle
RegOpenKeyA
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
StartServiceCtrlDispatcherA

shell32

SHGetSpecialFolderPathA
ShellExecuteExA

msvcrt

??3@YAXPAX@Z
ceil
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException
_mbscmp
rand
exit
strstr
strncpy
strrchr
system
atoi
strcspn
malloc
_except_handler3
_mbslwr
realloc
free
_beginthreadex
strchr
??1type_info@@UAE@XZ
__dllonexit
_onexit
_initterm
_adjust_fdiv
memset
memcmp
_msize
_expand
_mbschr
memcpy
_stricmp
_strcmpi
memmove
_strupr

ws2_32

WSAStartup
WSACleanup
WSAIoctl
setsockopt
connect
htons
gethostbyname
socket
select
recv
closesocket
send

comctl32

ord17

msvcp60

??0_Winit@std@@QAE@XZ
??0Init@ios_base@std@@QAE@XZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
??1_Winit@std@@QAE@XZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Xran@std@@YAXXZ
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ

urlmon

URLDownloadToFileA

wininet

InternetGetConnectedState

gdi32

ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SetMapMode
Escape
ExtTextOutA
TextOutA
RectVisible
PtVisible
GetStockObject
CreateBitmap
SelectObject
RestoreDC
SaveDC
DeleteDC
DeleteObject
GetDeviceCaps
GetObjectA
SetBkColor
SetTextColor
GetClipBox

winspool.drv

OpenPrinterA
DocumentPropertiesA
ClosePrinter

Exports

Exports

Fuck

Sections

.text
Size: 60KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

9ddeea813de9678451f86a8188078ef2

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

msvcrt

ws2_32

comctl32

msvcp60

urlmon

wininet

gdi32

winspool.drv

Exports

Exports

Sections

.text Size: 60KB - Virtual size: 57KB

.rdata Size: 20KB - Virtual size: 16KB

.data Size: 12KB - Virtual size: 20KB

.reloc Size: 12KB - Virtual size: 9KB

.text
Size: 60KB - Virtual size: 57KB

.rdata
Size: 20KB - Virtual size: 16KB

.data
Size: 12KB - Virtual size: 20KB

.reloc
Size: 12KB - Virtual size: 9KB