gh0strat | 54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 21:56

Target

54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe
Size

234KB
MD5

0cc0773e8571e2d83f42f2ed0564c944
SHA1

5098095532be0347ac07705797dd99dabf0e2b94
SHA256

54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451
SHA512

5990dc1a598849b9acfee31e298124c10cbb4e8cfeaa7b9be04ec9cf1bf948d301275dae46acb280e0630f5128d379ac7aa0c0852521215cacdec5d3f706ce1e
SSDEEP

3072:5ROtjvkiRfI0jZrgv7pSMqh9rjg461dsZk1xTTjBdCJtUogpgn/NitkHQ:6jkiRRWpSMqjg1TXCJVn/NU

Score

10^/10

gh0strat rat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/1188-58-0x0000000000400000-0x000000000043C000-memory.dmp	family_gh0strat
behavioral1/files/0x000b000000012304-61.dat	family_gh0strat
behavioral1/memory/1488-64-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat
behavioral1/memory/1488-65-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1488	rundll32.exe

Deletes itself 1 IoCs

pid	Process
1488	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\linkinfo.dll	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe
File created	C:\Windows\linkinfo.dll	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1188	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe
1188	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1488	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1188	1388	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	27
PID 1388 wrote to memory of 1188	1388	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	27
PID 1388 wrote to memory of 1188	1388	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	27
PID 1388 wrote to memory of 1188	1388	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	27
PID 1188 wrote to memory of 1688	1188	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	28
PID 1188 wrote to memory of 1688	1188	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	28
PID 1188 wrote to memory of 1688	1188	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	28
PID 1188 wrote to memory of 1688	1188	54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe	28
PID 1688 wrote to memory of 1488	1688	cmd.exe	30
PID 1688 wrote to memory of 1488	1688	cmd.exe	30
PID 1688 wrote to memory of 1488	1688	cmd.exe	30
PID 1688 wrote to memory of 1488	1688	cmd.exe	30
PID 1688 wrote to memory of 1488	1688	cmd.exe	30
PID 1688 wrote to memory of 1488	1688	cmd.exe	30
PID 1688 wrote to memory of 1488	1688	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe
"C:\Users\Admin\AppData\Local\Temp\54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe
  C:\Users\Admin\AppData\Local\Temp\54afcb91af3d04b73b9e8f1db28ea507271e3a6043a744dfd75c3c292aeee451.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rundll32.exe C:\Windows\linkinfo.dll hi
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\linkinfo.dll hi
      4⤵
      Blocklisted process makes network request
      Deletes itself
      Suspicious behavior: GetForegroundWindowSpam
      PID:1488

C:\Windows\linkinfo.dll

Filesize
118KB

MD5
817eacab620b8fde07a5ac68d1a66310

SHA1
dc5c4c41a361d9a249b481a7584a8926f2fd04bb

SHA256
19c738ba12303926f6b00a7b791676fff2d24bfcab1c958c3ee56292bfa97d9e

SHA512
53e42ae391632f403624187997c1f680e3c5a05d1dcc77010281ea9ccc8bd687cfc8dee068bb1532e436155f827271724cdea0ec3b4abd9b2753b13d36683bf1

Download Submit
memory/1188-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1388-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-63-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1488-64-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1488-65-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download