gh0strat | c252729ab5ccbf349db351d7454626aa

Sharing

Copy URL Twitter E-mail

General

Target

c252729ab5ccbf349db351d7454626aa
Size

152KB
MD5

c252729ab5ccbf349db351d7454626aa
SHA1

bdd396d4c8858adce65db1d55a4aebaf45f84207
SHA256

8f7838461831c7bc39cea0552288d836dabb27917b04bac9e76d1ff25bb91feb
SHA512

e81d4f8139bd0932900c827adc356c3fc4fe94424a1b64d5284aae518e70fb1f2efa288a0cd40a9869af81b013ec7d4a5c207f5a74360db3b75f5543c9299657
SSDEEP

3072:ezh+f99+cYT+apNizH6TqoFoafzTBftSqTR:eeWrTbu6WoFo0zTBlSq

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
c252729ab5ccbf349db351d7454626aa

Files

c252729ab5ccbf349db351d7454626aa
.dll windows:4 windows x86 arch:x86

6962062f7baa2b0524c5b2a97454b233

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

MessageBoxA
wvsprintfA
CreateWindowExA
DestroyWindow
LoadCursorA
DestroyCursor
GetCursorInfo
CloseWindowStation
GetClassNameA
GetWindow
ShowWindow
GetWindowRect
wsprintfA

kernel32

LocalSize
RaiseException
GetLongPathNameA
GetTempPathA
SetEnvironmentVariableA
GetCurrentProcessId
InterlockedIncrement
InterlockedDecrement
IsBadStringPtrW
IsBadReadPtr
ExitThread
RemoveDirectoryA
VirtualQuery
lstrcpyA
MultiByteToWideChar
lstrlenA
FreeLibrary
GetProcAddress
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
lstrcmpiA
CloseHandle
ExpandEnvironmentStringsA
lstrcatA
InterlockedExchange
Sleep
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetCurrentThreadId
GetTempFileNameA
GetTickCount
ExitProcess
GetSystemDirectoryA
GetExitCodeProcess
GetModuleFileNameA
SetUnhandledExceptionFilter
GetLocalTime
FormatMessageA
GetModuleHandleA
IsBadWritePtr
GetLastError
HeapFree
GetProcessHeap
MapViewOfFile
CreateFileMappingA
GetShortPathNameA
HeapAlloc
LocalFree
LocalAlloc
InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
LoadLibraryA
LocalReAlloc
GetCurrentProcess
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx
DeleteFileA

oleaut32

SysFreeString

ole32

CoTaskMemFree
CoCreateInstance
CoUninitialize
CoInitialize

msvcrt

strchr
_initterm
_strupr
_memicmp
_wcsicmp
_strlwr
strncat
realloc
wcsrchr
free
_CxxThrowException
wcstombs
srand
rand
??1type_info@@UAE@XZ
_onexit
__dllonexit
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
strrchr
malloc
strstr
_beginthreadex
_except_handler3
atoi
wcslen
memmove
ceil
_ftol
strncpy
_adjust_fdiv

Exports

Exports

DeleteExtractedFiles
DllGetVersion
Extract
FCIAddFile
FCICreate
FCIDestroy
FCIFlushCabinet
FCIFlushFolder
FDICopy
FDICreate
FDIDestroy
FDIIsCabinet
FDITruncateCabinet
GetDllVersion

Sections

.text
Size: 100KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6962062f7baa2b0524c5b2a97454b233

Headers

File Characteristics

Imports

user32

kernel32

oleaut32

ole32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 98KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 98KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB