gh0strat | e4bd63fb1d4d8f024386799d8a5f0e6a45eda0bd21ef1319fd0e2fefa9c5d58b

Sharing

Copy URL Twitter E-mail

General

Target

e4bd63fb1d4d8f024386799d8a5f0e6a45eda0bd21ef1319fd0e2fefa9c5d58b
Size

376KB
MD5

20d80917b83a6e7e511c75ec153760b7
SHA1

472c5ecb497487cfe100158ec57c03fb16863c17
SHA256

e4bd63fb1d4d8f024386799d8a5f0e6a45eda0bd21ef1319fd0e2fefa9c5d58b
SHA512

a2e2f89f73f711ee65312fdae376a01d06d27ccc8b08f7a0f287715bcab54cff89f8a7abe197a20ac278157b76c2971cc26d1d2027d317fd3ea62e002165b4fb
SSDEEP

6144:u2tv0z63EWei0KC+wKJZ4h2gQiGR7PGfUgoPtgm6TcV/Dkb1axFVtbsx83eWWnmM:ub1gu2gQrBAEQa7Ux8Oh

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
e4bd63fb1d4d8f024386799d8a5f0e6a45eda0bd21ef1319fd0e2fefa9c5d58b

Files

e4bd63fb1d4d8f024386799d8a5f0e6a45eda0bd21ef1319fd0e2fefa9c5d58b
.exe windows:4 windows x86 arch:x86

75d4fd23f4d7c1e7f198f1e087973025

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentProcessId
GetConsoleProcessList
AttachConsole
WriteFile
CreateFileA
lstrcpyA
TerminateThread
GetFileAttributesA
lstrcatA
GetTickCount
GetProcAddress
LoadLibraryA
Process32Next
GetLastError
Process32First
CreateToolhelp32Snapshot
HeapAlloc
GetProcessHeap
VirtualProtect
OpenProcess
HeapFree
LoadLibraryW
lstrcmpiA
GlobalMemoryStatusEx
GetSystemInfo
GetVersionExA
GetModuleHandleA
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
OutputDebugStringA
ReleaseMutex
CreateMutexA
CreateDirectoryA
GetExitCodeProcess
GetCommandLineA
GetCurrentThreadId
CopyFileA
ExpandEnvironmentStringsA
TerminateProcess
FreeConsole
LocalFree
ExitProcess
GetModuleFileNameA
GetShortPathNameA
GetEnvironmentVariableA
SetFileAttributesA
GetCurrentProcess
SetPriorityClass
GetCurrentThread
SetThreadPriority
CreateProcessA
ResumeThread
VirtualFree
lstrlenA
Sleep
CancelIo
InterlockedExchange
SetEvent
ResetEvent
WaitForSingleObject
CloseHandle
CreateEventA
VirtualAlloc
FreeLibrary

user32

GetThreadDesktop
wsprintfA
ExitWindowsEx
GetWindowTextA
EnumWindows
DefWindowProcA
TranslateMessage
DispatchMessageA
GetMessageA
CreateWindowExA
RegisterClassExA
FindWindowA
GetInputState
PostThreadMessageA
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA

advapi32

GetTokenInformation
RegCloseKey
OpenSCManagerA
OpenServiceA
CloseServiceHandle
DeleteService
SetServiceStatus
RegOpenKeyA
RegOpenKeyExA
StartServiceA
ConvertSidToStringSidA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
OpenProcessToken
RegisterServiceCtrlHandlerExA
StartServiceCtrlDispatcherA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegSetValueExA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
RegQueryValueExA

shell32

ShellExecuteA

ole32

CoUninitialize
CoInitialize
CoCreateInstance

oleaut32

VariantClear
VariantInit

msvcp60

??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ

msvcrt

__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
__p___initenv
exit
_XcptFilter
_exit
_controlfp
__dllonexit
??1type_info@@UAE@XZ
strchr
_beginthreadex
_stricmp
strncmp
strcspn
strncpy
atoi
_strupr
_onexit
_except_handler3
memmove
ceil
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException
free
strrchr
sprintf
strstr
realloc
printf
malloc
rand

ws2_32

htons
gethostbyname
socket
recv
connect
closesocket
send
getsockname
gethostname
setsockopt
WSAIoctl
select
WSAStartup
WSACleanup

shlwapi

SHDeleteKeyA

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationA

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

Sections

.text
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 336KB - Virtual size: 336KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

75d4fd23f4d7c1e7f198f1e087973025

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

msvcp60

msvcrt

ws2_32

shlwapi

wtsapi32

wininet

Sections

.text Size: 28KB - Virtual size: 25KB

.rdata Size: 8KB - Virtual size: 5KB

.data Size: 336KB - Virtual size: 336KB

.text
Size: 28KB - Virtual size: 25KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 336KB - Virtual size: 336KB