gh0strat | be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:51

Target

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe
Size

18KB
MD5

0fecd295680f9d3dbe60062382c078b6
SHA1

adea29b8ac04672d55b63dcac0d2f2294a991251
SHA256

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb
SHA512

2453fd9fdcef0278c531c7e2210b12b50d5a8e3d2fa5d88d3cec2f2c726fb99e2c9bc9d714522a6d40617d97a0458fa37abee1b49ee5466d523873976de7f5fc
SSDEEP

384:mKfZ0Fo/L/55KHJkdJgqj78WkK5DKrDpKK:n0Fodga/ZKrD

Score

10^/10

gh0strat rat upx

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1204-55-0x0000000000400000-0x000000000040D000-memory.dmp	family_gh0strat
behavioral1/memory/840-58-0x0000000000400000-0x000000000040D000-memory.dmp	family_gh0strat
behavioral1/memory/840-59-0x0000000000400000-0x000000000040D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

Ubkbmdn.exe

pid process

840 Ubkbmdn.exe

pid	process
840	Ubkbmdn.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1204-55-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Windows\Ubkbmdn.exe	upx
behavioral1/memory/840-58-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/840-59-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

description	ioc	process
File created	C:\Windows\Ubkbmdn.exe	be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe
File opened for modification	C:\Windows\Ubkbmdn.exe	be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

pid process

1204 be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ubkbmdn.exe

description pid process

Token: SeDebugPrivilege 840 Ubkbmdn.exe

pid	process
1204	be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

description	pid	process
Token: SeDebugPrivilege	840	Ubkbmdn.exe

C:\Windows\Ubkbmdn.exe
Filesize
18KB

MD5
0fecd295680f9d3dbe60062382c078b6

SHA1
adea29b8ac04672d55b63dcac0d2f2294a991251

SHA256
be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb

SHA512
2453fd9fdcef0278c531c7e2210b12b50d5a8e3d2fa5d88d3cec2f2c726fb99e2c9bc9d714522a6d40617d97a0458fa37abee1b49ee5466d523873976de7f5fc

Download Submit
memory/840-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/840-59-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download