gh0strat | 41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc

Analysis

max time kernel
148s
max time network
203s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:38

Target

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe
Size

576KB
MD5

84da30f0f735da2e20006c5a9bb97b68
SHA1

b9effa25a5e7ef86b25225ce30fe9d2bb8be7fb6
SHA256

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc
SHA512

28e45d3067f4c9c0d77bfc733a566457a6204af418db3f216c9cad03134d8b4a0176c9c158771ae154d0a3d2153b545c01c640e1e7bbab15fff1a0d9a338e4d2
SSDEEP

6144:/yHe1w/ziNliJMPLdXopU7JtGVa1TnbM/fxz/8iAg:a+1w/CIGPLs+m44yg

Score

10^/10

gh0strat rat

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2040-55-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat
C:\Program Files (x86)\Tpbllrh.exe	family_gh0strat
C:\Program Files (x86)\Tpbllrh.exe	family_gh0strat
C:\Program Files (x86)\Tpbllrh.exe	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 2 IoCs

Processes:

Tpbllrh.exeTpbllrh.exe

pid process

1972 Tpbllrh.exe
268 Tpbllrh.exe

pid	process
1972	Tpbllrh.exe
268	Tpbllrh.exe

Drops file in Program Files directory 2 IoCs

Processes:

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

description	ioc	process
File created	C:\Program Files (x86)\Tpbllrh.exe	41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe
File opened for modification	C:\Program Files (x86)\Tpbllrh.exe	41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

pid process

2040 41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exeTpbllrh.exeTpbllrh.exe

pid process

2040 41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe
1972 Tpbllrh.exe
268 Tpbllrh.exe

pid	process
2040	41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Tpbllrh.exe

description	pid	process	target process
PID 1972 wrote to memory of 268	1972	Tpbllrh.exe	Tpbllrh.exe
PID 1972 wrote to memory of 268	1972	Tpbllrh.exe	Tpbllrh.exe
PID 1972 wrote to memory of 268	1972	Tpbllrh.exe	Tpbllrh.exe
PID 1972 wrote to memory of 268	1972	Tpbllrh.exe	Tpbllrh.exe

C:\Program Files (x86)\Tpbllrh.exe
Filesize
576KB

MD5
84da30f0f735da2e20006c5a9bb97b68

SHA1
b9effa25a5e7ef86b25225ce30fe9d2bb8be7fb6

SHA256
41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc

SHA512
28e45d3067f4c9c0d77bfc733a566457a6204af418db3f216c9cad03134d8b4a0176c9c158771ae154d0a3d2153b545c01c640e1e7bbab15fff1a0d9a338e4d2

Download Submit
C:\Program Files (x86)\Tpbllrh.exe
Filesize
576KB

MD5
84da30f0f735da2e20006c5a9bb97b68

SHA1
b9effa25a5e7ef86b25225ce30fe9d2bb8be7fb6

SHA256
41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc

SHA512
28e45d3067f4c9c0d77bfc733a566457a6204af418db3f216c9cad03134d8b4a0176c9c158771ae154d0a3d2153b545c01c640e1e7bbab15fff1a0d9a338e4d2

Download Submit
C:\Program Files (x86)\Tpbllrh.exe
Filesize
576KB

MD5
84da30f0f735da2e20006c5a9bb97b68

SHA1
b9effa25a5e7ef86b25225ce30fe9d2bb8be7fb6

SHA256
41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc

SHA512
28e45d3067f4c9c0d77bfc733a566457a6204af418db3f216c9cad03134d8b4a0176c9c158771ae154d0a3d2153b545c01c640e1e7bbab15fff1a0d9a338e4d2

Download Submit
memory/268-64-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download