gh0strat | be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 06:51

Target

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe
Size

18KB
MD5

0fecd295680f9d3dbe60062382c078b6
SHA1

adea29b8ac04672d55b63dcac0d2f2294a991251
SHA256

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb
SHA512

2453fd9fdcef0278c531c7e2210b12b50d5a8e3d2fa5d88d3cec2f2c726fb99e2c9bc9d714522a6d40617d97a0458fa37abee1b49ee5466d523873976de7f5fc
SSDEEP

384:mKfZ0Fo/L/55KHJkdJgqj78WkK5DKrDpKK:n0Fodga/ZKrD

Score

10^/10

gh0strat rat upx

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4972-135-0x0000000000400000-0x000000000040D000-memory.dmp	family_gh0strat
behavioral2/memory/3960-136-0x0000000000400000-0x000000000040D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

Ubkbmdn.exe

pid process

3960 Ubkbmdn.exe

pid	process
3960	Ubkbmdn.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/4972-132-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Windows\Ubkbmdn.exe	upx
C:\Windows\Ubkbmdn.exe	upx
behavioral2/memory/4972-135-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3960-136-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

description	ioc	process
File created	C:\Windows\Ubkbmdn.exe	be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe
File opened for modification	C:\Windows\Ubkbmdn.exe	be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

pid	process
4972	be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe
4972	be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ubkbmdn.exe

description pid process

Token: SeDebugPrivilege 3960 Ubkbmdn.exe

description	pid	process
Token: SeDebugPrivilege	3960	Ubkbmdn.exe

C:\Windows\Ubkbmdn.exe

Filesize
18KB

MD5
0fecd295680f9d3dbe60062382c078b6

SHA1
adea29b8ac04672d55b63dcac0d2f2294a991251

SHA256
be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb

SHA512
2453fd9fdcef0278c531c7e2210b12b50d5a8e3d2fa5d88d3cec2f2c726fb99e2c9bc9d714522a6d40617d97a0458fa37abee1b49ee5466d523873976de7f5fc

Download Submit
C:\Windows\Ubkbmdn.exe

Filesize
18KB

MD5
0fecd295680f9d3dbe60062382c078b6

SHA1
adea29b8ac04672d55b63dcac0d2f2294a991251

SHA256
be517ac984c19803ef36096c0670171901e69b466f0ecd88a6dfb3a3a1e704fb

SHA512
2453fd9fdcef0278c531c7e2210b12b50d5a8e3d2fa5d88d3cec2f2c726fb99e2c9bc9d714522a6d40617d97a0458fa37abee1b49ee5466d523873976de7f5fc

Download Submit
memory/3960-136-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4972-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4972-135-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download