ghost.exe

First submission 2024-02-09 06:44:45

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 3207.0 KB (3283968 bytes)
Compile time: 2022-11-15 13:57:15
MD5: b077d33f58db73dd013c079bb435efa3
SHA1: cfbb65c511510ffb8d09b4b8fbd50976012889a8
SHA256: 9195c2f38b5942ec45f56b6a236e73f315da51ad2353e98c44fa9b6fff2f9c29
Import Hash : 55e8353f802707422a3462a3bab24fd9
Sections 8 .text .rdata .data .poc .tls .yoxevet .rici .rsrc
Directories 3 import resource tls
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://chubb-institute.com/temp/ghost.exe VirusTotal Report chubb-institute.com VirusTotal Report 2024-02-09 06:44:45

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x3197f2 3250176 f5119d4e17cbc04988eb6042239ba0d1662f7ef5 eb2be84652bf9a39ef73a66ce85736a4
.rdata 0x31b000 0x3198 12800 5b8a7cdb72101c37295d594ca5e5bb6af017f57d a1e08ef2b01073dea636f0e99cdbb6ad
.data 0x31f000 0x27a8580 7680 55ab62a76b23606a44c7d51c9c8b66642e783f1f 394b89ec96001650e403d138aed28fee
.poc 0x2ac8000 0x7c 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.tls 0x2ac9000 0x9cd 2560 4358194749214d739152fa635bff9e886e4d692b a371492f16c0940507435909603efe88
.yoxevet 0x2aca000 0xc 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.rici 0x2acb000 0x400 1024 60cacbf3d72e1e7834203da608037b1bf83b40e8 0f343b0931126a20f133d67c2b018a3b
.rsrc 0x2acc000 0x1c30 7680 e6977fa4811f3a40241aede740ecdad8aec2d3b5 1e3d09748b3b7755e3ad896d2c3a2534

PE Resources 5

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x2acc1e0 4264
RT_STRING LANG_ENGLISH SUBLANG_ENGLISH_US 0x2acd888 932
RT_ACCELERATOR LANG_ENGLISH SUBLANG_ENGLISH_US 0x2acd2a0 32
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x2acd288 20
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x2acd2c0 496

Meta infos 6

LegalCopyright: Silent news
InternalName: Stupido
FileVersion: 44.41.80.59
CompanyName: Torque
Translation: 0x179c 0x02fd
ProductVersion: 5.99.76.62

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
ADVAPI32.dll
WUSER32.DLL
KERNEL32.dll
mscoree.dll
USER32.dll

Strings analysis - Possible IPs found 2

5.99.76.62
44.41.80.59

Import functions

Name Latest seen MD5
lumma.exe 2024-02-09 08:21:04 30862fecf7b6eff6b318feccc621d737