Ghost64[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Ghost64.exe
Size

17.1MB
MD5

f982a7c541601878fdd6314f0bd9322e
SHA1

9c9223de054524b8c7290ce399077076e1cc0df9
SHA256

9e1c7e3ea2aa78d19f47673d0b06a6e07dae8378663d4e739b9416846f1a2507
SHA512

70096af96b81d1661641e291ec06142633c1bf083cd7fa5fa446eaced9c74778e52d415fbc70d8b317aaaf962e5b8eab03dbe8bf859899896598913f6fb964e4
SSDEEP

196608:pqctKZ1aD+kJN6AgJI3e+hAq9wMvO8hrDZ:bY6+cNne+hNl5F

Score

1^/10

Malware Config

Signatures

Files

Ghost64.exe
.exe windows:6 windows x64 arch:x64

733b7f7c81d667fe4bebd96ba0efd59d

Code Sign

1d:91:77:16:a9:56:f4:7c:49:b7:ac:89:3f:61:ff:8a
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

21/05/2020, 00:00

Not After

22/05/2023, 23:59

Subject

CN=Broadcom Inc,OU=SED,O=Broadcom Inc,L=San Jose,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1d:91:77:16:a9:56:f4:7c:49:b7:ac:89:3f:61:ff:8a
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

21/05/2020, 00:00

Not After

22/05/2023, 23:59

Subject

CN=Broadcom Inc,OU=SED,O=Broadcom Inc,L=San Jose,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3f:e3:ed:a0:30:48:b6:69:52:fc:bb:8b:c6:d2:5d:b3:c8:7c:12:7f:7d:7b:69:8b:c9:fe:fb:e0:a7:e7:c0:50
Signer

Actual PE Digest

3f:e3:ed:a0:30:48:b6:69:52:fc:bb:8b:c6:d2:5d:b3:c8:7c:12:7f:7d:7b:69:8b:c9:fe:fb:e0:a7:e7:c0:50

Digest Algorithm

sha256

PE Digest Matches

true

ef:b1:94:14:e4:43:00:a8:9e:29:c4:fe:bb:4e:33:a1:01:22:99:17
Signer

Actual PE Digest

ef:b1:94:14:e4:43:00:a8:9e:29:c4:fe:bb:4e:33:a1:01:22:99:17

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\build\executables\ghost64.pdb

Imports

ws2_32

inet_ntoa
recv
WSAPoll
getpeername
getservbyname
ntohs
getnameinfo
freeaddrinfo
getaddrinfo
htons
htonl
ioctlsocket
connect
socket
gethostbyname
gethostname
WSAStartup
WSACleanup
WSAGetLastError
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAIoctl
WSAEventSelect
WSASend
WSAWaitForMultipleEvents
accept
bind
inet_addr
listen
setsockopt
shutdown
__WSAFDIsSet
recvfrom
select
closesocket
getsockopt
getsockname
WSASocketA
WSAAddressToStringA
WSASendTo
WSARecvFrom
WSARecv
WSASetLastError
send
ntohl
sendto

imm32

ImmDisableIME

imagehlp

StackWalk64
SymFunctionTableAccess64
SymGetModuleBase64
ImageGetCertificateHeader
SymEnumSymbols
SymGetTypeInfo
SymFromAddr
ImageRemoveCertificate
SymSetContext
SymInitialize
SymGetLineFromAddr64
SymLoadModule64
SymGetModuleInfo64
SymCleanup
SymSetOptions

netapi32

Netbios

dbghelp

MiniDumpWriteDump

rpcrt4

UuidCreate
UuidToStringW
RpcStringFreeW

kernel32

WaitForSingleObject
CreateEventA
CreateThread
FreeLibrary
LoadLibraryA
SetLastError
GlobalAlloc
GlobalFree
CreateFileW
OutputDebugStringA
DeviceIoControl
EnterCriticalSection
LeaveCriticalSection
ResetEvent
LoadLibraryW
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
QueryPerformanceCounter
QueryPerformanceFrequency
GetCurrentProcess
GlobalMemoryStatus
GetSystemTime
SystemTimeToFileTime
CreateDirectoryW
DeleteFileW
GetDiskFreeSpaceW
GetDiskFreeSpaceExW
GetDriveTypeW
GetFileAttributesW
GetFileInformationByHandle
GetFullPathNameW
GetVolumeInformationW
RemoveDirectoryW
GetBinaryTypeW
MoveFileW
ExpandEnvironmentStringsW
DeleteFileA
GetVolumeInformationA
GetCurrentThread
VirtualAlloc
VirtualFree
DefineDosDeviceW
DeleteVolumeMountPointW
GetVolumeNameForVolumeMountPointW
SetVolumeMountPointW
GetDriveTypeA
GetStdHandle
ReadFile
SetEndOfFile
SetFilePointer
WriteFile
CreateFileA
GetFileAttributesExA
GetFileAttributesExW
MultiByteToWideChar
WideCharToMultiByte
IsValidCodePage
IsDBCSLeadByteEx
GetACP
GetOEMCP
GetConsoleCP
GetConsoleOutputCP
FileTimeToLocalFileTime
LocalFileTimeToFileTime
GetSystemTimeAsFileTime
FileTimeToSystemTime
GetEnvironmentVariableW
SetEvent
GetExitCodeProcess
CreateProcessW
FreeConsole
RaiseException
SetUnhandledExceptionFilter
GetCurrentProcessId
GetCurrentThreadId
FormatMessageA
HeapAlloc
HeapFree
GetProcessHeap
InitializeCriticalSection
GetCurrentDirectoryW
DebugBreak
ExitProcess
GetExitCodeThread
GetModuleFileNameW
GetModuleHandleW
GlobalUnlock
GlobalLock
LocalFree
GetSystemInfo
VirtualQuery
VirtualLock
VirtualUnlock
GetProcessWorkingSetSize
SetProcessWorkingSetSize
SetErrorMode
GetFileSize
GetLogicalDriveStringsA
GetFullPathNameA
GetBinaryTypeA
GetOverlappedResult
GetVolumePathNameW
GetCurrentDirectoryA
FindFirstFileW
SetFileTime
SetFileAttributesW
LocalAlloc
BackupRead
BackupSeek
FindNextFileW
GetLogicalDriveStringsW
GetLongPathNameW
GetTempPathW
GetSystemDirectoryW
GetTimeZoneInformation
CopyFileW
MoveFileExW
CreateHardLinkW
CreateSymbolicLinkW
SetEnvironmentVariableW
GetVersionExW
GetComputerNameW
ReleaseMutex
CreateMutexW
CreateEventW
WaitForMultipleObjects
TryEnterCriticalSection
Sleep
GetProcAddress
GetModuleHandleA
GetLastError
IsDebuggerPresent
OpenFileMappingA
UnmapViewOfFile
MapViewOfFile
CloseHandle
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
IsProcessorFeaturePresent
WaitForSingleObjectEx
InitializeSListHead
GetStartupInfoW
FormatMessageW
GetStringTypeW
SetCurrentDirectoryW
FindFirstFileExW
AreFileApisANSI
CreateDirectoryExW
EncodePointer
DecodePointer
SwitchToThread
TlsAlloc
GetTickCount
GetVersionExA
GetLocaleInfoA
GetModuleFileNameA
FindNextFileA
FindClose
GetLogicalDrives
InterlockedPushEntrySList
InterlockedFlushSList
LoadLibraryExW
SetConsoleCtrlHandler
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
SetFilePointerEx
GetFileType
GetConsoleMode
RtlUnwindEx
RtlPcToFileHeader
GetLocaleInfoW
LCMapStringW
CompareStringW
GetCPInfo
TlsFree
TlsSetValue
TlsGetValue
ReadConsoleW
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
GetFileSizeEx
HeapReAlloc
OutputDebugStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
SetConsoleMode
GetNumberOfConsoleInputEvents
ReadConsoleInputW
PeekConsoleInputA
HeapSize
WriteConsoleW
SetDllDirectoryW
RtlUnwind
DuplicateHandle
GetProcessTimes
OpenProcess
GetConsoleWindow
SetThreadPriority
CreatePipe
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
ExitThread
ResumeThread
TerminateProcess
FreeLibraryAndExitThread

user32

SetWindowTextW
ValidateRect
GetUpdateRect
ReleaseDC
GetDC
ToAscii
GetKeyboardState
LoadCursorA
GetFocus
AdjustWindowRect
SetWindowPos
ShowWindow
DestroyWindow
CreateWindowExA
RegisterClassA
DefWindowProcA
PeekMessageA
DispatchMessageA
TranslateMessage
GetCursorPos
GetWindowRect
SetCursor
SetFocus
GetDesktopWindow
ScreenToClient
FindWindowExW
MsgWaitForMultipleObjects
RegisterDeviceNotificationA
UnregisterClassA
SetTimer
KillTimer
ExitWindowsEx
GetKeyState

gdi32

CreatePalette
StretchDIBits
CreateSolidBrush
DeleteObject
GetPixel
RealizePalette
SelectObject
SelectPalette

ole32

CoTaskMemFree
CoInitializeSecurity
CoSetProxyBlanket
CoInitializeEx
OleRun
CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

CreateErrorInfo
SetErrorInfo
SysFreeString
VariantClear
VariantInit
GetErrorInfo
SafeArrayAccessData
SysAllocString
SafeArrayDestroy
VariantChangeType

advapi32

RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegSetValueExW
RegCreateKeyExW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
SetFileSecurityW
GetFileSecurityW
StartServiceW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
StartServiceA
OpenServiceA
OpenSCManagerA
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
RegUnLoadKeyA
RegSetValueExA
RegSetKeySecurity
DeleteService
CreateServiceA
ControlService
CloseServiceHandle
LookupPrivilegeValueW
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
RegCloseKey
OpenThreadToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyExA
RegEnumValueA
RegGetKeySecurity
RegQueryInfoKeyA
RegLoadKeyA

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

crypt32

CertOpenSystemStoreW
CertAddStoreToCollection
CertAddCertificateContextToStore
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertGetNameStringW
CertComparePublicKeyInfo
CryptDecodeObjectEx
CertVerifyCertificateChainPolicy
CertCompareCertificate
CertCreateCertificateContext
CertDuplicateCertificateContext
PFXImportCertStore
CertGetCertificateChain
CertFreeCertificateChain
CertVerifyRevocation

iphlpapi

GetAdaptersInfo

Sections

.text
Size: 12.2MB - Virtual size: 12.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 402KB - Virtual size: 616KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 638KB - Virtual size: 637KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 1024B - Virtual size: 777B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 283B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 107KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

733b7f7c81d667fe4bebd96ba0efd59d

Code Sign

1d:91:77:16:a9:56:f4:7c:49:b7:ac:89:3f:61:ff:8aCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

1d:91:77:16:a9:56:f4:7c:49:b7:ac:89:3f:61:ff:8aCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

3f:e3:ed:a0:30:48:b6:69:52:fc:bb:8b:c6:d2:5d:b3:c8:7c:12:7f:7d:7b:69:8b:c9:fe:fb:e0:a7:e7:c0:50Signer

ef:b1:94:14:e4:43:00:a8:9e:29:c4:fe:bb:4e:33:a1:01:22:99:17Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

imm32

imagehlp

netapi32

dbghelp

rpcrt4

kernel32

user32

gdi32

ole32

oleaut32

advapi32

version

crypt32

iphlpapi

Sections

.text Size: 12.2MB - Virtual size: 12.2MB

.rdata Size: 3.6MB - Virtual size: 3.6MB

.data Size: 402KB - Virtual size: 616KB

.pdata Size: 638KB - Virtual size: 637KB

.idata Size: 18KB - Virtual size: 18KB

.tls Size: 1024B - Virtual size: 777B

.00cfg Size: 512B - Virtual size: 283B

.rsrc Size: 15KB - Virtual size: 14KB

.reloc Size: 107KB - Virtual size: 107KB

1d:91:77:16:a9:56:f4:7c:49:b7:ac:89:3f:61:ff:8a
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

1d:91:77:16:a9:56:f4:7c:49:b7:ac:89:3f:61:ff:8a
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

3f:e3:ed:a0:30:48:b6:69:52:fc:bb:8b:c6:d2:5d:b3:c8:7c:12:7f:7d:7b:69:8b:c9:fe:fb:e0:a7:e7:c0:50
Signer

ef:b1:94:14:e4:43:00:a8:9e:29:c4:fe:bb:4e:33:a1:01:22:99:17
Signer

.text
Size: 12.2MB - Virtual size: 12.2MB

.rdata
Size: 3.6MB - Virtual size: 3.6MB

.data
Size: 402KB - Virtual size: 616KB

.pdata
Size: 638KB - Virtual size: 637KB

.idata
Size: 18KB - Virtual size: 18KB

.tls
Size: 1024B - Virtual size: 777B

.00cfg
Size: 512B - Virtual size: 283B

.rsrc
Size: 15KB - Virtual size: 14KB

.reloc
Size: 107KB - Virtual size: 107KB