gh0strat | 7f1dfd29e1fcc21a96bbc85ee73a3c97[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

7f1dfd29e1fcc21a96bbc85ee73a3c97.zip
Size

41KB
MD5

fc6e200430facf89d6a0db1d9e73e2b2
SHA1

e8bb4332e335f74859ea0eabe287d575949660dc
SHA256

6a52bf4e881cba3175ad5ba921904f3fae67b06a3463bdb5bfd4fb8ffc0f1a3b
SHA512

1d18e00998046a2728226e80347193f259c7270190bd1028254e5cade6f207d59a1f93ef3ca54f52ff820a1fcfa789504589149aa967e807d14da2a8b6595f5e
SSDEEP

768:xCPzML2aJD3hrQFSDBZMOdtA5hWvmY4Ij+RQRGJbuvv937Bg7Lv9:xCPozpNhDBZM8tmMvmHdCRGJgF37O7Ll

Score

10^/10

gh0strat

Malware Config

Extracted

Family

gh0strat

39.108.140.211

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
static1/unpack001/c99cc8b34524015badda5483270c956b2c287fe4c527385d6775bd15cdd29e3e	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/c99cc8b34524015badda5483270c956b2c287fe4c527385d6775bd15cdd29e3e

Files

7f1dfd29e1fcc21a96bbc85ee73a3c97.zip
.zip

Password: infected
c99cc8b34524015badda5483270c956b2c287fe4c527385d6775bd15cdd29e3e
.exe windows:4 windows x86 arch:x86

Password: infected

aad96c3be82e60a3a63d5a1074456bb0

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileA
GetLocalTime
CloseHandle
ExitProcess
GetModuleFileNameA
GlobalMemoryStatusEx
WaitForSingleObject
GetVersionExA
MoveFileA
DeleteFileA
CopyFileA
CreateProcessA
WriteFile
SetFileAttributesA
MoveFileExA
GetFileAttributesA
HeapAlloc
GetProcessHeap
VirtualProtect
HeapFree
SetEvent
CreateEventA
lstrcmpiA
lstrcatA
LocalAlloc
LocalSize
LocalFree
OutputDebugStringA
GetTickCount
LoadLibraryA
GetProcAddress
FreeLibrary
lstrcpyA
lstrlenA
GetLastError
Sleep
InterlockedExchange
VirtualAlloc
CreateDirectoryA
VirtualFree
RtlUnwind
RaiseException
TerminateProcess
GetCurrentProcess
HeapReAlloc
CreateThread
GetCurrentThreadId
TlsSetValue
TlsGetValue
ExitThread
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
TlsAlloc
SetLastError
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetUnhandledExceptionFilter
HeapSize
GetEnvironmentVariableA
HeapDestroy
HeapCreate
IsBadWritePtr
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
InterlockedDecrement
InterlockedIncrement
IsBadReadPtr
IsBadCodePtr
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
SetFilePointer
SetStdHandle
FlushFileBuffers
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW

user32

wsprintfA

advapi32

RegOpenKeyExA
RegQueryValueA
OpenSCManagerA
CreateServiceA
OpenServiceA
StartServiceA
RegOpenKeyA
RegSetValueExA
RegCloseKey
CloseServiceHandle
RegisterServiceCtrlHandlerA
SetServiceStatus
OpenEventLogA
ClearEventLogA
CloseEventLog
StartServiceCtrlDispatcherA

urlmon

URLDownloadToFileA

shell32

SHGetSpecialFolderPathA

Sections

.text
Size: 60KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

aad96c3be82e60a3a63d5a1074456bb0

Headers

File Characteristics

Imports

kernel32

user32

advapi32

urlmon

shell32

Sections

.text Size: 60KB - Virtual size: 57KB

.rdata Size: 8KB - Virtual size: 5KB

.data Size: 16KB - Virtual size: 22KB

.text
Size: 60KB - Virtual size: 57KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 16KB - Virtual size: 22KB