gh0strat | d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 15:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
Size

168KB
MD5

0da30e92f7dd8cc6ad3c35f77a0caa80
SHA1

64a6be72141295cdd8ecacf0f4513328e45bab58
SHA256

d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523
SHA512

0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1
SSDEEP

3072:a55WhN9npi8X7+0rbaemqKKgrkF0tIjnK0LHB8BwXc4+4uFXBfOJ4lQHwmj3yadX:a55WzZX7+0rb1mq+lIj3LHmBwXcxfXFY

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022dd0-132.dat	family_gh0strat
behavioral2/files/0x0003000000022dd0-133.dat	family_gh0strat
behavioral2/files/0x0002000000022df6-134.dat	family_gh0strat
behavioral2/files/0x0003000000022df5-136.dat	family_gh0strat
behavioral2/files/0x0003000000022df5-137.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
4100	fkxjkm.exe
5012	hrlD8D2.tmp

Loads dropped DLL 1 IoCs

pid	Process
4100	fkxjkm.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fkxjkm.exe	d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
File opened for modification	C:\Windows\SysWOW64\fkxjkm.exe	d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
File created	C:\Windows\SysWOW64\hra33.dll	fkxjkm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 5012	4100	fkxjkm.exe	81
PID 4100 wrote to memory of 5012	4100	fkxjkm.exe	81
PID 4100 wrote to memory of 5012	4100	fkxjkm.exe	81

C:\Users\Admin\AppData\Local\Temp\d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
"C:\Users\Admin\AppData\Local\Temp\d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe"
1⤵
- Drops file in System32 directory
PID:1536

C:\Windows\SysWOW64\fkxjkm.exe
C:\Windows\SysWOW64\fkxjkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\TEMP\hrlD8D2.tmp
  C:\Windows\TEMP\hrlD8D2.tmp
  2⤵
  - Executes dropped EXE
  PID:5012

Network

DNS

226.101.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.101.242.52.in-addr.arpa

IN PTR

Response

20.123.141.233:443

40 B
1
93.184.221.240:80

322 B
7
20.42.73.25:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7

8.8.8.8:53

226.101.242.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

226.101.242.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fkxjkm.exe

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
C:\Windows\SysWOW64\fkxjkm.exe

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
C:\Windows\SysWOW64\hra33.dll

Filesize
176KB

MD5
e8f8cc390926e678ccefef14d1232840

SHA1
5b735f61905a152ffa92fa90f1ab55f4a83b3197

SHA256
90947d4b74ddb340bc3ee0d2f3f43392be493f668e68439c997a7bd8af04f174

SHA512
40766823bcbfd0d17cf067cc58cc84b21cc184f7c4ac08b349ca2ffa216d5009e7e22fa8db5d29ea2e9ea8bc6b610d887b5baef261988c824c233aaa3860b951

Download Submit
C:\Windows\TEMP\hrlD8D2.tmp

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
C:\Windows\Temp\hrlD8D2.tmp

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit