gh0strat | 92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0

Analysis

max time kernel
153s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 03:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Size

139KB
MD5

03bbfb1b9562e01bf6f95c66102786e0
SHA1

7ab18d413a30139a6442a106964ee0e18467aba9
SHA256

92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0
SHA512

a6914947c28d4e12dd01108d00e600d02f4b752dc17a1d52a38a0171999eecfd7387933e40edce6f7cee049f8d3205e28f3e30d31ae588d80ad2afb46241946a
SSDEEP

3072:zUwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwC5iGKID5931cJQW0z:zvJVGpxx9b3wZuwC4GvDfl472

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000a000000022e28-132.dat	family_gh0strat
behavioral2/files/0x000b000000022e37-133.dat	family_gh0strat
behavioral2/files/0x000b000000022e37-134.dat	family_gh0strat
behavioral2/files/0x000a000000022e28-136.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 2 IoCs

pid	Process
4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
2660	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\3-24ÃâÉ±.jpg	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
File created	C:\Program Files (x86)\3-24ÃâÉ±.jpg	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
File opened for modification	C:\Program Files (x86)\3-24ÃâÉ±.jpg	svchost.exe
File created	C:\Program Files (x86)\3-24ÃâÉ±.jpg	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeRestorePrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeBackupPrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeRestorePrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeBackupPrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeRestorePrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeBackupPrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeRestorePrivilege	4972	92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe

C:\Users\Admin\AppData\Local\Temp\92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe
"C:\Users\Admin\AppData\Local\Temp\92aee4da9fce799349e135ee95774753543c5b0df4815102b70439d7442a9ad0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1881600.dll

Filesize
101KB

MD5
6b43d3396d39bd8a7dcd13521fdb4254

SHA1
766aee38c064c7af455e919fa898f9279093eae3

SHA256
1c5caae676972baac6bb7a3d84e9b17e8bd73b89af2b16625865040f5ca66397

SHA512
a03f5fa2238c6bd0dff8ab2545ceeac1fd2a688737266a8e1d21f49624f86ca7217f54e29a9524d0180e569851196afd08dcbbd3c26de43a6c85f2cd4bd39cbf

Download Submit
C:\1881600.dll

Filesize
101KB

MD5
6b43d3396d39bd8a7dcd13521fdb4254

SHA1
766aee38c064c7af455e919fa898f9279093eae3

SHA256
1c5caae676972baac6bb7a3d84e9b17e8bd73b89af2b16625865040f5ca66397

SHA512
a03f5fa2238c6bd0dff8ab2545ceeac1fd2a688737266a8e1d21f49624f86ca7217f54e29a9524d0180e569851196afd08dcbbd3c26de43a6c85f2cd4bd39cbf

Download Submit
C:\Program Files (x86)\3-24ÃâÉ±.jpg

Filesize
8.5MB

MD5
94a7e6d4e6cea5e5a5e0054b503b671d

SHA1
45ccc67323a6f08656dbc83d51692e02b1d02fa3

SHA256
bb56a90c86f69e863fc033727330c27cce2756d990ed6e108d54f4584238dcea

SHA512
8a0b46fb74709b82ad62acc7110ec59f397a37d75c8d6b753fc513f0874f3207e646a2d6f79663cf71a6168c7785825ce9e55704f5d9ce41c9c517a3c53fce9d

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
8ce76fbe91d5b2dc70ebf632945dfd1b

SHA1
8155071c57e6651fa6d6e5f1791512e4b587f365

SHA256
e13e95790dd93b180d58c0697da4ff0555434917e5f87cdef9666234bdc4525c

SHA512
99adc6ee8273753a036895e0edc6f76504fc1fabeeec1e40793492704041773e6bfe70ebbcf40361e3f2ebfa2d8279eec5546157bf52aeaa53e5f94ce1f9d2cd

Download Submit
\??\c:\program files (x86)\3-24ãâé±.jpg

Filesize
8.5MB

MD5
94a7e6d4e6cea5e5a5e0054b503b671d

SHA1
45ccc67323a6f08656dbc83d51692e02b1d02fa3

SHA256
bb56a90c86f69e863fc033727330c27cce2756d990ed6e108d54f4584238dcea

SHA512
8a0b46fb74709b82ad62acc7110ec59f397a37d75c8d6b753fc513f0874f3207e646a2d6f79663cf71a6168c7785825ce9e55704f5d9ce41c9c517a3c53fce9d

Download Submit