gh0strat | 03f2ebbe13ddf8ba4c32ce56ebcd575b[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

03f2ebbe13ddf8ba4c32ce56ebcd575b.bin
Size

152KB
MD5

03f2ebbe13ddf8ba4c32ce56ebcd575b
SHA1

8be5fb0664982ecc84dbd91330ef73863f01ec00
SHA256

7a2f34547d7690d20d84f945dc8ca9972ed4f3f8a14d57c4a53b76f6cf45853b
SHA512

227a4fb0f15b49c424ca36f871cd3a9cef5dc6a8ccf6834808baec4d3e944dcd8083c2376b934c025d4bfb7d5c340b3b422c21113b2b2bbc99fbfc584c56085f
SSDEEP

3072:dYxOwj/xNdy96pWMz3tMxVf+UR8fyOJffTBftEdEzlMUHy+C6:abxnW6pWMztIWLfyOxfTBlEGlMUHyy

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
03f2ebbe13ddf8ba4c32ce56ebcd575b.bin

Files

03f2ebbe13ddf8ba4c32ce56ebcd575b.bin
.dll windows:4 windows x86 arch:x86

5a55be3b156bb6e0898035f7749d4809

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

Sleep
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetProcAddress
GetModuleHandleA
lstrcatA
GetTickCount
lstrlenA
GetLocalTime
HeapFree
GetProcessHeap
MapViewOfFile
GetLastError
CreateFileMappingA
GetShortPathNameA
lstrcpyA
HeapAlloc
LocalFree
LocalAlloc
InterlockedDecrement
InterlockedIncrement
GetModuleFileNameA
SetUnhandledExceptionFilter
FormatMessageA
VirtualQuery
IsBadWritePtr
MultiByteToWideChar
FreeLibrary
WideCharToMultiByte
InterlockedExchange
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
GetVersionExA
lstrcmpiA
ExpandEnvironmentStringsA
GetSystemDirectoryA
LocalReAlloc
LocalSize
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
VirtualProtect
SetEnvironmentVariableA
GetTempPathA
GetLongPathNameA
GetSystemInfo
GetProcessTimes
GlobalMemoryStatusEx
GetTempFileNameA
DeleteFileA
RemoveDirectoryA
ExitThread
IsBadReadPtr
IsBadStringPtrW
InitializeCriticalSection
VirtualFree
LeaveCriticalSection
VirtualAlloc
ExitProcess
GetExitCodeProcess
RaiseException
lstrcmpA
CloseHandle
LoadLibraryA

user32

wvsprintfA
GetClassNameA
MessageBoxA
GetCursorInfo
DestroyCursor
LoadCursorA
DestroyWindow
CreateWindowExA
CloseWindowStation
ShowWindow
wsprintfA
GetWindow

advapi32

RegOpenKeyExW

msvcrt

_adjust_fdiv
_initterm
??1type_info@@UAE@XZ
_onexit
__dllonexit
_strupr
_strlwr
_memicmp
_wcsicmp
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
_except_handler3
strchr
strncat
wcsrchr
rand
srand
_ftol
realloc
malloc
strstr
free
_beginthreadex
strncpy
atoi
wcstombs
memmove
ceil
strrchr
wcslen
_CxxThrowException

Exports

Exports

CpyCommon

Sections

.text
Size: 100KB - Virtual size: 96KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5a55be3b156bb6e0898035f7749d4809

Headers

File Characteristics

Imports

kernel32

user32

advapi32

msvcrt

Exports

Exports

Sections

.text Size: 100KB - Virtual size: 96KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 12KB - Virtual size: 17KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 100KB - Virtual size: 96KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB