gh0strat | 6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d

Analysis

max time kernel
152s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Size

169KB
MD5

5dfc356fb0ffe7efcdcb9d7d5734eda7
SHA1

512d84553880513daa2a1115c3f469958e76f73f
SHA256

6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d
SHA512

b4b68be4d590d097825023c9c503b42b98f83d29f25aab49f8df46915c83cb392fca15fa725cef2090f4841e53f5eeeb7ba6ae1ef86ab0d465cbf4d2c5ff3a06
SSDEEP

3072:50T6QTlxjLXCKDcMERjtJXVtEhKwBDV0cUyMUeqovOPZ/N:503HyvjTXLiKwBDVtUAeqo6N

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000134d5-55.dat	family_gh0strat
behavioral1/files/0x000c0000000134d5-56.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-59.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1900	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ckfo\Sggggnyvm.gif	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
File created	C:\Program Files (x86)\Ckfo\Sggggnyvm.gif	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Token: SeRestorePrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Token: SeBackupPrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Token: SeRestorePrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Token: SeBackupPrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Token: SeRestorePrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Token: SeBackupPrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
Token: SeRestorePrivilege	1832	6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe

C:\Users\Admin\AppData\Local\Temp\6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe
"C:\Users\Admin\AppData\Local\Temp\6020a95ae887d71ecf9da69325ad46af1c18d51896bcf1e7c93b81ab068c705d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2723900.dll

Filesize
117KB

MD5
72d74c7b4fb0bfe8fab9c35131e18b47

SHA1
847efff840d84d29c677d8072aec6a6246609293

SHA256
481b48945c7ef2de16746b43780043d6c2fce57d8b55dccd40022214dd088592

SHA512
745fb03d6e688b4f394f877fcffeb1e6e9369bdab80d4f986aa8f401f585bef13fe662455f9a4a4fc896136a05d756aa2a2222352a8cb0c6207f006d126001c1

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
dfa82df7439e6a66feeecc2f0421df97

SHA1
0e9736d1b83b8b0965a929a157491f3459c94603

SHA256
b340b650e23529f707485dc568935c43aa6a6b5abb992ba1c0c41a879860fd3f

SHA512
821d7e7e0238bd4c8d36f5787ab721d58e9e3619a29e954407e3662a3ab5ca72e758af1751b764d692dec46bddcdc476daa684e6588c7009470fafd5a9de4485

Download Submit
\??\c:\program files (x86)\ckfo\sggggnyvm.gif

Filesize
4.5MB

MD5
7ca16eea3b380bb27f704b6656142c01

SHA1
c31f90e5b5e8005e0d0de12ad12b0503ec510f5f

SHA256
dba13b6e7dd36579bf0f4a25d9f7f5a52135c7e2545899f508c8556fb58c80fd

SHA512
7289907046a06381f44a99c76903252f8895149daeeb8fba9b001a15f00f75ac1dd5682c3f77d462bca1eb0799e7cd8e7ee8337922c395ea72a3e9e7c8035146

Download Submit
\Program Files (x86)\Ckfo\Sggggnyvm.gif

Filesize
4.5MB

MD5
7ca16eea3b380bb27f704b6656142c01

SHA1
c31f90e5b5e8005e0d0de12ad12b0503ec510f5f

SHA256
dba13b6e7dd36579bf0f4a25d9f7f5a52135c7e2545899f508c8556fb58c80fd

SHA512
7289907046a06381f44a99c76903252f8895149daeeb8fba9b001a15f00f75ac1dd5682c3f77d462bca1eb0799e7cd8e7ee8337922c395ea72a3e9e7c8035146

Download Submit
memory/1832-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download