gh0strat | d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c

Analysis

max time kernel
108s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe
Size

89KB
MD5

55a2a638581ce1c259a850d264d28b84
SHA1

a9e7525e238a5f1e90055397252d81dd5e00f0d2
SHA256

d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c
SHA512

4c7056b5973c65c187b48733109b0936a68e03cb024f1e215c8497b9d0b6397215b5b42766270d1b1cbb1c399806908e0064b93f1ae329edb1455358e4e5f23d
SSDEEP

1536:rHIygkUcLXJ1jNkk7+K3BwSFCXte5tz4yC2ASelhEAiajhenUe:rHI0JXJ1NZn3Bw1Xte5WyC2AdhEAiaje

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/1200-55-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral1/memory/1200-56-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral1/memory/1200-59-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral1/memory/1472-66-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral1/memory/1472-67-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral1/memory/1472-68-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1472	fwrqwystkg

Loads dropped DLL 1 IoCs

pid	Process
1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1472	1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe	27
PID 1200 wrote to memory of 1472	1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe	27
PID 1200 wrote to memory of 1472	1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe	27
PID 1200 wrote to memory of 1472	1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe	27
PID 1200 wrote to memory of 1472	1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe	27
PID 1200 wrote to memory of 1472	1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe	27
PID 1200 wrote to memory of 1472	1200	d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe	27

C:\Users\Admin\AppData\Local\Temp\d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe
"C:\Users\Admin\AppData\Local\Temp\d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200
- \??\c:\users\admin\appdata\local\fwrqwystkg
  "C:\Users\Admin\AppData\Local\Temp\d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe" a -sc:\users\admin\appdata\local\temp\d4e2368a849804a0c3e1c3478e53bf15618708489085a3dd988e4c51a8f2349c.exe
  2⤵
  - Executes dropped EXE
  PID:1472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fwrqwystkg

Filesize
20.7MB

MD5
510130c24764184d7e045741bb2295e4

SHA1
50265645e5b08c4ef7124db34d79f24595d0b72a

SHA256
1271bfd14aa4af11c9cf7d8b0d0a7c559f96955675fc8422a4322b6bc1eed488

SHA512
6bd1d655214223152c071a01d17484a602e1b5df73f440f5f743044178c23260bec93312d0cbb2067c93230b9d3ae550fd37b070c88d91d8d558100715eebcb4

Download Submit
\??\c:\users\admin\appdata\local\fwrqwystkg

Filesize
20.7MB

MD5
510130c24764184d7e045741bb2295e4

SHA1
50265645e5b08c4ef7124db34d79f24595d0b72a

SHA256
1271bfd14aa4af11c9cf7d8b0d0a7c559f96955675fc8422a4322b6bc1eed488

SHA512
6bd1d655214223152c071a01d17484a602e1b5df73f440f5f743044178c23260bec93312d0cbb2067c93230b9d3ae550fd37b070c88d91d8d558100715eebcb4

Download Submit
\Users\Admin\AppData\Local\fwrqwystkg

Filesize
20.7MB

MD5
510130c24764184d7e045741bb2295e4

SHA1
50265645e5b08c4ef7124db34d79f24595d0b72a

SHA256
1271bfd14aa4af11c9cf7d8b0d0a7c559f96955675fc8422a4322b6bc1eed488

SHA512
6bd1d655214223152c071a01d17484a602e1b5df73f440f5f743044178c23260bec93312d0cbb2067c93230b9d3ae550fd37b070c88d91d8d558100715eebcb4

Download Submit
memory/1200-57-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1200-58-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1200-59-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1200-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1200-63-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1200-55-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1472-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1472-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1472-68-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads