gh0strat | acd33c7aaca074b61d883539a220d82d

Sharing

Copy URL

Twitter E-mail

General

Target

acd33c7aaca074b61d883539a220d82d
Size

135KB
MD5

acd33c7aaca074b61d883539a220d82d
SHA1

6a1a2f5554c1b440ab93ab1088f11fc2f0b82edf
SHA256

d79a5936dad75bd6505bf204b8274480f9dcb5356feaad393de1994f915fdb5b
SHA512

90ad9c0164696d10425ffb4d040adc86933600958b4b3219d13501ae92a3c2a38796284b5a30d0bcd24799bf60fbf57473e7c911e5502125a634d989f91bf03a
SSDEEP

3072:DnRLqZnAJLLT08TeuNju9y1sOrdMv2mADC7nCpqu:1e1Al08ioyyaCdMv2mAu7nCp/

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
acd33c7aaca074b61d883539a220d82d

Files

acd33c7aaca074b61d883539a220d82d
.dll windows:4 windows x86 arch:x86

24dfc463b145fd208948a41a62c828e3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MultiByteToWideChar
GetLocalTime
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
HeapAlloc
UnmapViewOfFile
CreateRemoteThread
GetModuleHandleA
WriteProcessMemory
VirtualAllocEx
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
WritePrivateProfileStringA
OpenProcess
PeekNamedPipe
WaitForMultipleObjects
GetPrivateProfileStringA
GetSystemInfo
ReleaseMutex
CreateMutexA
OpenEventA
SetErrorMode
SetUnhandledExceptionFilter
DisableThreadLibraryCalls
FreeConsole
FreeLibrary
MoveFileExA
CopyFileA
lstrcmpiA
GetCurrentThreadId
GetTempPathA
DeviceIoControl
GetStartupInfoA
GetVersion
Process32Next
GlobalMemoryStatus
GetCurrentProcess
MoveFileA
RemoveDirectoryA
FindNextFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
lstrcatA
CreateProcessA
DeleteFileA
LoadLibraryA
GetProcAddress
WriteFile
lstrlenA
lstrcpyA
GetFileAttributesA
CreateDirectoryA
GetLastError
FindFirstFileA
SetFilePointer
ReadFile
LocalFree
CreateFileA
GetFileSize
Sleep
CancelIo
InterlockedExchange
ResetEvent
LocalAlloc
LocalSize
LocalReAlloc
InterlockedDecrement
WideCharToMultiByte
InterlockedIncrement
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
CreateEventA
DeleteCriticalSection
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
ExitProcess
GetTickCount
GetSystemDirectoryA
SetLastError
OutputDebugStringA
GetModuleFileNameA
CreateToolhelp32Snapshot
GetVersionExA
Process32First
CloseHandle
CreatePipe

user32

LoadCursorA
DestroyCursor
BlockInput
SystemParametersInfoA
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
GetKeyNameTextA
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
UnhookWindowsHookEx
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
SetProcessWindowStation
OpenWindowStationA
GetActiveWindow
GetWindowTextA
MessageBoxA
ExitWindowsEx
wsprintfA
CharNextA
GetThreadDesktop
DispatchMessageA
TranslateMessage
GetMessageA
CreateWindowExA
OpenDesktopA
SetWindowsHookExA
GetDC
CallNextHookEx
mouse_event
GetClientRect
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop
ShowWindow
PostMessageA
EnumWindows
GetWindowThreadProcessId
IsWindowVisible
FindWindowA
GetProcessWindowStation

gdi32

GetDIBits
BitBlt
DeleteDC
DeleteObject
CreateCompatibleDC
CreateDIBSection
SelectObject
CreateCompatibleBitmap

advapi32

RegCloseKey
RegQueryValueA
RegCreateKeyA
RegQueryValueExA
RegOpenKeyA
RegSetValueExA
RegCreateKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseEventLog
ClearEventLogA
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegQueryInfoKeyA
CloseServiceHandle
EnumServicesStatusA
OpenSCManagerA
QueryServiceConfigA
OpenServiceA
DeleteService
ControlService
QueryServiceStatus
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
StartServiceA
RegisterServiceCtrlHandlerA
SetServiceStatus
RegOpenKeyExA

shell32

SHGetFileInfoA
ShellExecuteA

ole32

CoCreateInstance
CoUninitialize
CoInitialize
CoTaskMemFree

oleaut32

SysFreeString

msvcrt

_strnicmp
_onexit
_strrev
_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_strlwr
__dllonexit
calloc
_beginthreadex
rename
isdigit
strtoul
sprintf
realloc
strncat
_errno
strncmp
_snprintf
strchr
wcscpy
atoi
strncpy
strrchr
_except_handler3
malloc
free
_CxxThrowException
wcstombs
strstr
_ftol
ceil
memmove
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z

winmm

waveInStop
waveInReset
waveOutPrepareHeader
waveInClose
waveOutReset
waveOutUnprepareHeader
waveOutClose
waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveOutOpen
waveOutGetNumDevs
waveInUnprepareHeader

ws2_32

connect
setsockopt
htons
WSAStartup
gethostbyname
socket
select
ioctlsocket
recv
closesocket
send
gethostname
recvfrom
sendto
accept
inet_ntoa
getpeername
getsockname
ntohs
bind
listen
inet_addr
__WSAFDIsSet
WSACleanup
WSAIoctl

msvcp60

?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

psapi

GetModuleFileNameExA
EnumProcessModules

netapi32

NetUserAdd
NetLocalGroupAddMembers

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

wininet

InternetReadFile

msvfw32

ICSeqCompressFrame
ICOpen
ICGetInfo
ICClose
ICSendMessage
ICCompressorFree
ICSeqCompressFrameStart
ICInfo
ICSeqCompressFrameEnd

Exports

Exports

DeleteInstallFile
FirstRun
ServiceMain
UninstallServer

Sections

.text
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

LangSect
Size: 512B - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

24dfc463b145fd208948a41a62c828e3

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

msvcrt

winmm

ws2_32

msvcp60

psapi

netapi32

imm32

wtsapi32

userenv

wininet

msvfw32

Exports

Exports

Sections

.text Size: 97KB - Virtual size: 97KB

.data Size: 28KB - Virtual size: 27KB

LangSect Size: 512B - Virtual size: 1B

.rsrc Size: 1024B - Virtual size: 4KB

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 97KB - Virtual size: 97KB

.data
Size: 28KB - Virtual size: 27KB

LangSect
Size: 512B - Virtual size: 1B

.rsrc
Size: 1024B - Virtual size: 4KB

.reloc
Size: 7KB - Virtual size: 6KB