gh0strat | a44329488e0a8c981b5f50a7d71b760e

Sharing

Copy URL Twitter E-mail

General

Target

a44329488e0a8c981b5f50a7d71b760e
Size

148KB
MD5

a44329488e0a8c981b5f50a7d71b760e
SHA1

ab1ac7e62671d8f913d590c115ddc5a9afb62ee6
SHA256

61542994890fa7981ca38cbbd9103a081a0c036c9c512506464f772170943b7b
SHA512

1aaaa7be53143b239d96a69d205a0d4aeb625882cb2bf1ca8e4502a520c3907e2c120d9cc52324fbbfb9b4545e894180552fbe785cd784f3cb6088626a246187
SSDEEP

3072:VmSq5+/V/DHOJEcNvCkdXfCxmOqQhST37nTBftKwxnQ:Vm+xPavXVCxmlQhSTLnTBlPxn

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
a44329488e0a8c981b5f50a7d71b760e

Files

a44329488e0a8c981b5f50a7d71b760e
.dll regsvr32 windows:4 windows x86 arch:x86

492d07f9baa4b10ffc7e27d1f903341f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

wvsprintfA
wsprintfA
GetClassNameA
GetWindow
ShowWindow
EnableWindow
CloseWindowStation
LoadCursorA
DestroyCursor
GetCursorInfo
MessageBoxA
DestroyWindow
CreateWindowExA

kernel32

lstrcmpA
RaiseException
GetTempFileNameA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
IsBadStringPtrW
IsBadReadPtr
ExitThread
RemoveDirectoryA
DeleteFileA
GetCommandLineA
GlobalMemoryStatusEx
GetProcessTimes
CloseHandle
lstrcpyA
lstrlenA
WideCharToMultiByte
lstrcatA
GetModuleFileNameA
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
GetModuleHandleA
VirtualQuery
IsBadWritePtr
Sleep
GetTickCount
LocalFree
GetProcAddress
GetLastError
lstrcmpiA
LocalReAlloc
LocalSize
LocalAlloc
ExitProcess
GetSystemDirectoryA
ExpandEnvironmentStringsA
GlobalUnlock
GlobalLock
GlobalSize
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
HeapAlloc
InterlockedExchange
FreeLibrary
InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
GlobalFree
GlobalAlloc
GetCurrentProcessId
GetCurrentThreadId
GetShortPathNameA
GetFileAttributesExA
LoadLibraryA
MultiByteToWideChar
SetEnvironmentVariableA
GetTempPathA
GetCurrentProcess
GetLongPathNameA
GetSystemInfo
GetVersionExA

shell32

SHFileOperationA

msvcrt

malloc
_adjust_fdiv
_initterm
_onexit
__dllonexit
_stricmp
_strlwr
_wcsicmp
_strupr
_memicmp
_beginthreadex
wcstombs
atoi
??2@YAPAXI@Z
??3@YAXPAX@Z
wcslen
__CxxFrameHandler
_except_handler3
rand
srand
_ftol
strchr
free
realloc
strstr
strrchr
strncat
wcsrchr
memmove
ceil
strncpy

Exports

Exports

CLSID_CfgComp
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
IID_ICfgComp

Sections

.text
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 294B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

492d07f9baa4b10ffc7e27d1f903341f

Headers

File Characteristics

Imports

user32

kernel32

shell32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 97KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 12KB - Virtual size: 16KB

.rsrc Size: 4KB - Virtual size: 294B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 97KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 12KB - Virtual size: 16KB

.rsrc
Size: 4KB - Virtual size: 294B

.reloc
Size: 8KB - Virtual size: 7KB