gh0strat | f859c3a644806fe157f111ebd649102c6ce5c6a6c5612b6b86d0484509b6258f

Sharing

Copy URL

Twitter E-mail

General

Target

f859c3a644806fe157f111ebd649102c6ce5c6a6c5612b6b86d0484509b6258f
Size

195KB
MD5

a35bec80a2f90ab98cac64dd7f34d9e3
SHA1

bc166451d59084542cc022923ef6bd65972b734b
SHA256

f859c3a644806fe157f111ebd649102c6ce5c6a6c5612b6b86d0484509b6258f
SHA512

118382f1b53d7b08e6dac140e49211910ac7a0ea0d451e48b4e28c4e909b4dae1d7a608e032de0427e42a528712b8c49d535d3db1e57c61d64b0f3409701d876
SSDEEP

3072:a/OAJfleMyWZoskV7W70SqWiyeSSHdOaHW0jt5vUH:vQlSVi76aS9f20jXvUH

Score

10^/10

gh0strat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
sample	family_gh0strat

Gh0strat family
gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f859c3a644806fe157f111ebd649102c6ce5c6a6c5612b6b86d0484509b6258f

Files

f859c3a644806fe157f111ebd649102c6ce5c6a6c5612b6b86d0484509b6258f
.dll windows:4 windows x86 arch:x86

b207f640446b56e3aed40329df59eb63

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord823
ord825

msvcrt

atol
wcscpy
wcstombs
wcslen
mbstowcs
_errno
strncpy
atoi
strncat
getchar
wcsstr
_mbslwr
strchr
_except_handler3
strncmp
sprintf
strrchr
_access
exit
_mbscmp
free
malloc
realloc
strstr
_ftol
ceil
memmove
__CxxFrameHandler
_strupr
_beginthreadex
_snprintf
calloc
_initterm
_adjust_fdiv
_strnicmp
_wcsupr
_mbsstr

kernel32

LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
CreateEventA
ResetEvent
SetEvent
InterlockedExchange
CancelIo
Sleep
CloseHandle
GetModuleHandleA
lstrcatA
lstrlenA
FreeLibrary
LoadLibraryW
GetTickCount
GetDiskFreeSpaceExA
GetDriveTypeA
GlobalMemoryStatusEx
GetSystemInfo
GetVersionExA
WriteFile
GetFileSize
VirtualFree
CreateFileA
FindClose
FindNextFileA
DeleteFileA
RemoveDirectoryA
SetFileAttributesA
GetFileAttributesA
GetLastError
CreateMutexA
OutputDebugStringA
SetThreadPriority
GetCurrentThread
GetCurrentProcess
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
GetLocalTime
CreateProcessA
lstrcpyA
CreateDirectoryA
MoveFileExA
CopyFileA
GetCurrentThreadId
HeapFree
GetProcessHeap
HeapAlloc
HeapReAlloc
VirtualProtect
IsBadReadPtr
LocalAlloc
LocalReAlloc
ReadFile
GetWindowsDirectoryA
LocalFree
LocalSize
GetVolumeInformationA
GetLogicalDriveStringsA
FindFirstFileA
MoveFileA
CreateToolhelp32Snapshot
Process32Next
Process32First
ExitProcess
GetVersion
DeviceIoControl
Beep
TerminateThread
ResumeThread
GetSystemDirectoryA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
CreateThread
MultiByteToWideChar
WideCharToMultiByte
lstrcpyW
WinExec
lstrcmpiA
Module32Next
Module32First
CreateRemoteThread
OpenProcess
TerminateProcess
GlobalMemoryStatus
GetComputerNameA
GetPrivateProfileStringA
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
lstrcmpA
DisableThreadLibraryCalls
DeleteCriticalSection
InitializeCriticalSection
WaitForSingleObject
LoadLibraryA
GetProcAddress
SetFilePointer

user32

EmptyClipboard
SetClipboardData
CloseClipboard
mouse_event
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
keybd_event
SystemParametersInfoA
BlockInput
DestroyCursor
GetKeyState
GetAsyncKeyState
OpenClipboard
GetClassNameA
GetForegroundWindow
MoveWindow
GetWindowRect
SwapMouseButton
ExitWindowsEx
CharNextA
LoadIconA
LoadCursorA
RegisterClassA
PostThreadMessageA
GetInputState
MessageBoxA
wsprintfA
GetClipboardData
GetSystemMetrics
SetRect
GetDC
ReleaseDC
GetDesktopWindow
SendMessageA
GetCursorInfo
GetWindowThreadProcessId
GetCursorPos
GetWindowTextA
IsWindowVisible
GetWindow
PostMessageA
EnumWindows
SetThreadDesktop
GetUserObjectInformationA
GetThreadDesktop
CloseDesktop
OpenInputDesktop
FindWindowA
GetDlgItem
SetDlgItemTextA
GetDlgItemTextA
DispatchMessageA
TranslateMessage
GetMessageA
SetWindowPos
ShowWindow
UpdateWindow
CreateDialogParamA
EndDialog

gdi32

GetStockObject
SelectObject
CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
GetDIBits
CreateCompatibleBitmap

advapi32

AbortSystemShutdownA
GetUserNameA
LookupAccountSidA
GetTokenInformation
QueryServiceConfigA
ControlService
QueryServiceStatus
ChangeServiceConfigA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegQueryValueA
RegOpenKeyExA
CloseServiceHandle
StartServiceA
OpenServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
RegCreateKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
DeleteService
OpenSCManagerA
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegQueryInfoKeyA
RegCreateKeyExA
EnumServicesStatusA

shell32

SHGetFileInfoA
ShellExecuteExA
SHChangeNotify
SHGetSpecialFolderPathA
ShellExecuteA

ole32

CoInitialize
CoCreateInstance
CoUninitialize

oleaut32

SysFreeString

winmm

waveInGetNumDevs
mciSendStringA

ws2_32

accept
listen
sendto
recvfrom
__WSAFDIsSet
ioctlsocket
ntohs
inet_ntoa
getpeername
gethostname
WSACleanup
send
closesocket
socket
gethostbyname
htons
connect
bind
inet_addr
getsockname
WSAStartup
select
recv
WSAIoctl
setsockopt

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z

iphlpapi

GetIfTable

wtsapi32

WTSEnumerateSessionsA
WTSQuerySessionInformationW
WTSFreeMemory
WTSQuerySessionInformationA
WTSDisconnectSession
WTSLogoffSession

netapi32

NetUserSetInfo
NetApiBufferFree
NetUserGetInfo
NetUserEnum
NetLocalGroupAddMembers
NetUserAdd
NetUserDel
NetUserGetLocalGroups

psapi

GetModuleFileNameExA
EnumProcessModules

Exports

Exports

Main

Sections

.text
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 129KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b207f640446b56e3aed40329df59eb63

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

winmm

ws2_32

msvcp60

iphlpapi

wtsapi32

netapi32

psapi

Exports

Exports

Sections

.text Size: 124KB - Virtual size: 123KB

.rdata Size: 16KB - Virtual size: 14KB

.data Size: 16KB - Virtual size: 129KB

.rsrc Size: 4KB - Virtual size: 248B

.reloc Size: 12KB - Virtual size: 8KB

.text
Size: 124KB - Virtual size: 123KB

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 16KB - Virtual size: 129KB

.rsrc
Size: 4KB - Virtual size: 248B

.reloc
Size: 12KB - Virtual size: 8KB