aeed6f465b742621bf145219db4ca122f2d9986cfc716b03e99afbcbe336a942

Sharing

Copy URL Twitter E-mail

General

Target

aeed6f465b742621bf145219db4ca122f2d9986cfc716b03e99afbcbe336a942
Size

16.6MB
MD5

e715dcea8c5012a51a4a11c508e2c291
SHA1

3ed50df8be27ad52ee959c530a31a93d0f3e7079
SHA256

aeed6f465b742621bf145219db4ca122f2d9986cfc716b03e99afbcbe336a942
SHA512

859c203f2a2a24383d2bfa033561abe7539ad53a7f3dd331f971c2056f8ce207adb0c5bf0f6624b2823826d53f82d9a452cfaaa8330ea7fae7fcc2515658cf74
SSDEEP

393216:1NJ6jElMZoCQ9/+o9dfBZK/LELp+rEjQE:1NJQE0oh791KDELp6DE

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
static1/unpack001/Ghostexp.exe	aspack_v212_v242

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/bcdedit.exe
unpack001/$PLUGINSDIR/nsDialogs.dll
unpack001/Ghostexp.exe
unpack001/bcdedit32.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

aeed6f465b742621bf145219db4ca122f2d9986cfc716b03e99afbcbe336a942
.exe windows:4 windows x86 arch:x86

7fa974366048f9c551ef45714595665e

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:69:9a:d2:fd:dc:2a:e9:9f:33:67:19:3e:2a:1c:b9
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

11/11/2021, 00:00

Not After

10/11/2022, 23:59

Subject

CN=Xiamen Fu Heng Network Co.\, Ltd,O=Xiamen Fu Heng Network Co.\, Ltd,L=XIAMEN,ST=FUJIAN,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:69:9a:d2:fd:dc:2a:e9:9f:33:67:19:3e:2a:1c:b9
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

11/11/2021, 00:00

Not After

10/11/2022, 23:59

Subject

CN=Xiamen Fu Heng Network Co.\, Ltd,O=Xiamen Fu Heng Network Co.\, Ltd,L=XIAMEN,ST=FUJIAN,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f3:f9:17:2b:90:5e:62:af:0b:96:73:e8:94:d4:b1:41:8b:fa:2a:f5:83:b4:c0:95:3c:48:8d:0b:e7:86:0f:12
Signer

Actual PE Digest

f3:f9:17:2b:90:5e:62:af:0b:96:73:e8:94:d4:b1:41:8b:fa:2a:f5:83:b4:c0:95:3c:48:8d:0b:e7:86:0f:12

Digest Algorithm

sha256

PE Digest Matches

true

fe:74:71:f1:be:9a:31:f7:9e:e3:de:57:31:2a:ff:b1:b8:25:9d:f0
Signer

Actual PE Digest

fe:74:71:f1:be:9a:31:f7:9e:e3:de:57:31:2a:ff:b1:b8:25:9d:f0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
GetWindowsDirectoryA
SetFileTime
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetTempPathA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryA
GetCurrentDirectoryA
MultiByteToWideChar
GetPrivateProfileIntA
GlobalLock
GetModuleHandleA
lstrcmpiA
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
GlobalUnlock
GlobalAlloc

user32

MapWindowPoints
GetDlgCtrlID
CloseClipboard
GetClipboardData
OpenClipboard
PtInRect
SetWindowRgn
LoadIconA
LoadImageA
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableMenuItem
GetSystemMenu
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
GetClientRect

gdi32

SetTextColor
CreateCompatibleDC
GetObjectA
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
SelectObject

shell32

SHBrowseForFolderA
SHGetDesktopFolder
SHGetPathFromIDListA
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/bcdedit.exe
.exe windows:6 windows x86 arch:x86

aea7ec4000ea25c8f07648a3a844869b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bcdedit.pdb

Imports

kernel32

GetConsoleOutputCP
WriteConsoleW
GetConsoleMode
GetFileType
GetStdHandle
DeviceIoControl
CloseHandle
CreateFileW
GetModuleFileNameW
SetLastError
FreeLibrary
GetProcAddress
LoadLibraryW
LocalFree
FormatMessageW
WideCharToMultiByte
LoadLibraryExW
LoadResource
FindResourceExW
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
OutputDebugStringA
InterlockedCompareExchange
Sleep
InterlockedExchange
WriteFile
QueryDosDeviceW
GetLastError
CreateFileMappingW
GetVersionExW
GetLocaleInfoW
UnmapViewOfFile
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
SearchPathW
MapViewOfFile

msvcrt

__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_initterm
_amsg_exit
__setusermatherr
__p__commode
__set_app_type
memmove
malloc
free
iswctype
?terminate@@YAXXZ
_controlfp
calloc
isdigit
mbtowc
isleadbyte
isxdigit
localeconv
_snprintf
_itoa
wctomb
ferror
wcstombs
realloc
__badioinfo
__pioinfo
_read
_fileno
_lseeki64
_write
_isatty
ungetc
bsearch
wcsncmp
strncmp
wcsstr
wcsrchr
_iob
__mb_cur_max
_wcsupr
_wcslwr
_errno
_wsetlocale
iswspace
towupper
_vsnwprintf
memcpy
memset
wcschr
_wcsicmp
wcstoul
_wcsnicmp
__p__fmode

ntdll

RtlUnwind
RtlStringFromGUID
NtOpenFile
NtClose
RtlGUIDFromString
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlFreeUnicodeString
RtlCompareMemory
RtlAllocateHeap
RtlNtStatusToDosError
RtlFreeHeap
NtQuerySystemInformation
NtWaitForSingleObject
NtDeviceIoControlFile
NtCreateEvent
NtOpenKey
NtEnumerateKey
NtQueryKey
NtQueryAttributesFile
NtUnloadKey
NtLoadKey
NtAdjustPrivilegesToken
NtOpenProcessToken
NtOpenThreadToken
RtlFreeSid
RtlSetOwnerSecurityDescriptor
RtlLengthSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAceEx
RtlCreateAcl
RtlLengthSid
RtlAllocateAndInitializeSid
NtSetSecurityObject
NtCreateKey
NtDeleteValueKey
NtQueryValueKey
NtSetValueKey
NtSaveKey
NtCreateFile
NtDeleteKey
LdrGetProcedureAddress
RtlInitAnsiString
LdrGetDllHandle
NtDeleteFile
NtQueryInformationFile
NtQueryVolumeInformationFile
NtResetEvent
RtlGetVersion
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtAllocateUuids

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

Sections

.text
Size: 143KB - Virtual size: 143KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 135KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/nsDialogs.dll
.dll windows:4 windows x86 arch:x86

1e2884056e655f2b7bc5a904e352fc80

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrcpyA
GetFileAttributesA
lstrcmpiA
MulDiv
lstrlenA
HeapFree
GetCurrentDirectoryA
HeapAlloc
HeapReAlloc
GlobalFree
lstrcpynA
GlobalAlloc
GetProcessHeap
SetCurrentDirectoryA

user32

GetPropA
DestroyWindow
CallWindowProcA
SetCursor
LoadCursorA
RemovePropA
CharPrevA
GetWindowLongA
DrawTextA
GetWindowTextA
GetDlgItem
SetWindowLongA
SetWindowPos
CreateDialogParamA
MapWindowPoints
GetWindowRect
SetPropA
CreateWindowExA
IsWindow
SetTimer
KillTimer
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
ShowWindow
wsprintfA
MapDialogRect
GetClientRect
CharNextA
SendMessageA
DrawFocusRect

gdi32

SetTextColor

shell32

SHBrowseForFolderA
SHGetPathFromIDListA

comdlg32

GetSaveFileNameA
GetOpenFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

Create
CreateControl
CreateItem
CreateTimer
GetUserData
KillTimer
OnBack
OnChange
OnClick
OnNotify
SelectFileDialog
SelectFolderDialog
SetRTL
SetUserData
Show

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 572B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/path.ini
$PLUGINSDIR/speed_set.ini
GHLDR
GHLDR_0
Ghost32.exe
.exe windows:4 windows x86 arch:x86

bea2cf4f046a26431404847336a2c0b5

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

31/10/2007, 00:00

Not After

24/11/2010, 23:59

Subject

CN=Symantec Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Symantec Research Labs,O=Symantec Corporation,L=Santa Monica,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

e4:68:25:30:d1:e1:6a:79:67:50:4d:22:6d:4c:4f:5e:8b:a6:be:2c
Signer

Actual PE Digest

e4:68:25:30:d1:e1:6a:79:67:50:4d:22:6d:4c:4f:5e:8b:a6:be:2c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

e:\depot\ghost\gss2.0\ghost\ghost\src\core\vs2005\win32\release\Ghost32.pdb

Imports

kernel32

GetVersionExA
GetProcessHeap
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
GetCPInfo
GetTimeZoneInformation
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
GetModuleHandleA
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
GetCurrentThread
ExitProcess
CloseHandle
WriteFile
GetStdHandle
GetModuleFileNameA
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetACP
GetOEMCP
IsValidCodePage
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
GetTimeFormatA
GetCommandLineA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
GetConsoleCP
GetConsoleMode
FlushFileBuffers
ReadFile
SetFilePointer
FreeLibrary
LoadLibraryA
SetStdHandle
CreateFileA
GetLocaleInfoW
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
LocalAlloc
ReadProcessMemory
GetEnvironmentVariableW
LocalFileTimeToFileTime
FileTimeToSystemTime
SystemTimeToFileTime
HeapAlloc
RaiseException
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
SetConsoleCtrlHandler
RtlUnwind
HeapFree
GetLastError
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
InterlockedExchange
Sleep
InterlockedDecrement
SetConsoleMode
ReadConsoleInputA
ResumeThread
ExitThread
InterlockedCompareExchange
GetOverlappedResult
GetFileSize
GetLogicalDriveStringsA
SetErrorMode
GetSystemInfo
GetProcessWorkingSetSize
SetProcessWorkingSetSize
VirtualLock
DeviceIoControl
CreateThread
GetDateFormatA
InterlockedIncrement
FormatMessageA
FreeConsole
GlobalMemoryStatus
IsDBCSLeadByteEx
GetLogicalDrives
FindClose
FindNextFileA
FileTimeToLocalFileTime
GetFileAttributesA
GetDiskFreeSpaceA
CreateDirectoryA
DeleteFileA
RemoveDirectoryA
MoveFileA
GetBinaryTypeA
GetVolumeInformationA
GetDriveTypeA
GetFullPathNameA
GetCurrentDirectoryA
FindFirstFileA
SetFileTime
SetFileAttributesA
BackupSeek
BackupRead
QueryPerformanceFrequency
CreateEventA
ResetEvent
WaitForSingleObject
SetEvent
DefineDosDeviceW
CreateFileW
VirtualQuery
IsBadWritePtr
GetThreadContext

rpcrt4

UuidCreate

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

ws2_32

bind
accept
WSASetLastError
recvfrom
WSAAddressToStringA
sendto
WSASocketA
WSACloseEvent
htons
htonl
recv
WSACreateEvent
WSAWaitForMultipleEvents
ioctlsocket
WSAEnumNetworkEvents
WSASend
inet_ntoa
WSAStartup
WSACleanup
gethostname
gethostbyname
closesocket
socket
connect
WSAGetLastError
listen
inet_addr
setsockopt
WSAEventSelect
getsockopt
getsockname
ntohl
WSASendTo
send
WSARecvFrom
WSARecv
WSAIoctl
shutdown

imm32

ImmDisableIME

imagehlp

ImageRemoveCertificate
ImageGetCertificateHeader

user32

SetWindowTextW
RegisterClassA
CreateWindowExA
GetDC
GetDesktopWindow
GetWindowRect
AdjustWindowRect
GetUpdateRect
ValidateRect
DefWindowProcA
CharToOemA
ExitWindowsEx
DispatchMessageA
TranslateMessage
PeekMessageA
SetCursor
LoadCursorA
ScreenToClient
GetCursorPos
FindWindowExW
DestroyWindow
ReleaseDC
GetKeyState
ToAscii
GetKeyboardState
TrackMouseEvent
SetCapture
GetCapture
SetFocus
GetFocus
ReleaseCapture
SetWindowPos

gdi32

CreateSolidBrush
GetPixel
StretchDIBits
CreatePalette
SelectPalette
RealizePalette
SelectObject
DeleteObject

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegOpenKeyExA
RegOpenKeyA
RegQueryValueExA

ole32

OleRun
CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

SysAllocString
SysFreeString

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 680KB - Virtual size: 679KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 236KB - Virtual size: 655KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ghostexp.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 496KB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 84KB - Virtual size: 292KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 216KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.aspack
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.adata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
bcdedit32.exe
.exe windows:6 windows x86 arch:x86

aea7ec4000ea25c8f07648a3a844869b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bcdedit.pdb

Imports

kernel32

GetConsoleOutputCP
WriteConsoleW
GetConsoleMode
GetFileType
GetStdHandle
DeviceIoControl
CloseHandle
CreateFileW
GetModuleFileNameW
SetLastError
FreeLibrary
GetProcAddress
LoadLibraryW
LocalFree
FormatMessageW
WideCharToMultiByte
LoadLibraryExW
LoadResource
FindResourceExW
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
OutputDebugStringA
InterlockedCompareExchange
Sleep
InterlockedExchange
WriteFile
QueryDosDeviceW
GetLastError
CreateFileMappingW
GetVersionExW
GetLocaleInfoW
UnmapViewOfFile
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
SearchPathW
MapViewOfFile

msvcrt

__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_initterm
_amsg_exit
__setusermatherr
__p__commode
__set_app_type
memmove
malloc
free
iswctype
?terminate@@YAXXZ
_controlfp
calloc
isdigit
mbtowc
isleadbyte
isxdigit
localeconv
_snprintf
_itoa
wctomb
ferror
wcstombs
realloc
__badioinfo
__pioinfo
_read
_fileno
_lseeki64
_write
_isatty
ungetc
bsearch
wcsncmp
strncmp
wcsstr
wcsrchr
_iob
__mb_cur_max
_wcsupr
_wcslwr
_errno
_wsetlocale
iswspace
towupper
_vsnwprintf
memcpy
memset
wcschr
_wcsicmp
wcstoul
_wcsnicmp
__p__fmode

ntdll

RtlUnwind
RtlStringFromGUID
NtOpenFile
NtClose
RtlGUIDFromString
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlFreeUnicodeString
RtlCompareMemory
RtlAllocateHeap
RtlNtStatusToDosError
RtlFreeHeap
NtQuerySystemInformation
NtWaitForSingleObject
NtDeviceIoControlFile
NtCreateEvent
NtOpenKey
NtEnumerateKey
NtQueryKey
NtQueryAttributesFile
NtUnloadKey
NtLoadKey
NtAdjustPrivilegesToken
NtOpenProcessToken
NtOpenThreadToken
RtlFreeSid
RtlSetOwnerSecurityDescriptor
RtlLengthSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAceEx
RtlCreateAcl
RtlLengthSid
RtlAllocateAndInitializeSid
NtSetSecurityObject
NtCreateKey
NtDeleteValueKey
NtQueryValueKey
NtSetValueKey
NtSaveKey
NtCreateFile
NtDeleteKey
LdrGetProcedureAddress
RtlInitAnsiString
LdrGetDllHandle
NtDeleteFile
NtQueryInformationFile
NtQueryVolumeInformationFile
NtResetEvent
RtlGetVersion
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtAllocateUuids

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

Sections

.text
Size: 143KB - Virtual size: 143KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 135KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7fa974366048f9c551ef45714595665e

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

08:69:9a:d2:fd:dc:2a:e9:9f:33:67:19:3e:2a:1c:b9Certificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

08:69:9a:d2:fd:dc:2a:e9:9f:33:67:19:3e:2a:1c:b9Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

f3:f9:17:2b:90:5e:62:af:0b:96:73:e8:94:d4:b1:41:8b:fa:2a:f5:83:b4:c0:95:3c:48:8d:0b:e7:86:0f:12Signer

fe:74:71:f1:be:9a:31:f7:9e:e3:de:57:31:2a:ff:b1:b8:25:9d:f0Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 52KB

.rsrc Size: 28KB - Virtual size: 28KB

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1KB - Virtual size: 1KB

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

08:69:9a:d2:fd:dc:2a:e9:9f:33:67:19:3e:2a:1c:b9
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

08:69:9a:d2:fd:dc:2a:e9:9f:33:67:19:3e:2a:1c:b9
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

f3:f9:17:2b:90:5e:62:af:0b:96:73:e8:94:d4:b1:41:8b:fa:2a:f5:83:b4:c0:95:3c:48:8d:0b:e7:86:0f:12
Signer

fe:74:71:f1:be:9a:31:f7:9e:e3:de:57:31:2a:ff:b1:b8:25:9d:f0
Signer

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 52KB

.rsrc
Size: 28KB - Virtual size: 28KB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 100B

.reloc
Size: 1024B - Virtual size: 520B

.text
Size: 143KB - Virtual size: 143KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 135KB - Virtual size: 135KB

.reloc
Size: 7KB - Virtual size: 7KB

.text
Size: 4KB - Virtual size: 4KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 572B

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

e4:68:25:30:d1:e1:6a:79:67:50:4d:22:6d:4c:4f:5e:8b:a6:be:2c
Signer

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 680KB - Virtual size: 679KB

.data
Size: 236KB - Virtual size: 655KB