gh0strat | f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467

Analysis

max time kernel
190s
max time network
217s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 13:09

Target

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe
Size

6.4MB
MD5

27a2c6683f5bf36f9eca84b69aa522b7
SHA1

6ea61de1d47fad027a9adfd3cc9768ebf4514c22
SHA256

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467
SHA512

e33633cd16697c56fd8472b5ea5353cf33286028589f16c01b677b3395da80c66aef7ed43ec225ed3b1f14779f59d8587790321701eb1252370e0a501d951bb5
SSDEEP

196608:EXCcGV7DTNWbwb8ABOLAvcaYnx++3M1KqovhXKmplB:tcob8AILxDnxhHqElB

Score

10^/10

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/968-55-0x0000000000400000-0x0000000000AB0000-memory.dmp	family_gh0strat
behavioral1/memory/968-77-0x0000000000400000-0x0000000000AB0000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/968-56-0x0000000010000000-0x0000000011000000-memory.dmp	vmprotect
behavioral1/memory/968-62-0x0000000010000000-0x0000000011000000-memory.dmp	vmprotect
behavioral1/memory/968-76-0x0000000010000000-0x0000000011000000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

pid process

968 f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

description	pid	process
Token: SeDebugPrivilege	968	f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe
Token: SeSecurityPrivilege	968	f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

pid	process
968	f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe
968	f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe
968	f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

memory/968-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/968-55-0x0000000000400000-0x0000000000AB0000-memory.dmp

Filesize
6.7MB

Download
memory/968-56-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/968-62-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/968-65-0x00000000035B0000-0x00000000035DB000-memory.dmp

Filesize
172KB

Download
memory/968-69-0x00000000035B1000-0x00000000035B4000-memory.dmp

Filesize
12KB

Download
memory/968-73-0x00000000035B1000-0x00000000035B4000-memory.dmp

Filesize
12KB

Download
memory/968-75-0x00000000035B1000-0x00000000035B4000-memory.dmp

Filesize
12KB

Download
memory/968-71-0x00000000035B1000-0x00000000035B4000-memory.dmp

Filesize
12KB

Download
memory/968-76-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/968-77-0x0000000000400000-0x0000000000AB0000-memory.dmp

Filesize
6.7MB

Download