gh0strat | 68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba

Analysis

max time kernel
204s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Size

138KB
MD5

9c80a1967f092c96f75789cefe1bd709
SHA1

d1dc0a3734b97f9102f0163a8d69a8dd218e6eb3
SHA256

68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba
SHA512

f967f46ea560bc9dc0b734dc3fc223dc8070c3f856d8195751df54d7a271e39c60429425c0237caf051a1d30ca7b12160294985c1820052b64b27ed1dec1c5c0
SSDEEP

3072:Z5Qj0XLXcCS2MRczZK8/y4pE2IybZuwl1PMRPeqov:ZzbDMGJyE51ZuwlB+eqo

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022662-132.dat	family_gh0strat
behavioral2/files/0x000b0000000231a0-133.dat	family_gh0strat
behavioral2/files/0x000b0000000231a0-134.dat	family_gh0strat
behavioral2/files/0x0005000000022662-136.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 2 IoCs

pid	Process
3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
2052	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Sdwu\Efkhrjqwa.bmp	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
File created	C:\Program Files (x86)\Sdwu\Efkhrjqwa.bmp	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe
2052	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Token: SeRestorePrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Token: SeBackupPrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Token: SeRestorePrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Token: SeBackupPrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Token: SeRestorePrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Token: SeBackupPrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
Token: SeRestorePrivilege	3572	68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe

C:\Users\Admin\AppData\Local\Temp\68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe
"C:\Users\Admin\AppData\Local\Temp\68340207d7a47dd7f7c58b0d0d1cba617d2cc9ac59f15fc9381bab35e05e7cba.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2501100.dll

Filesize
105KB

MD5
8a7da987f557fe19f07f23cfc5253bbf

SHA1
21011aad02a304487e58535150bf548c6e8ebff5

SHA256
d51690271c37b83b1656f6be6d8bd32559e6a36578c560827ff0235c8bb95c4d

SHA512
56573127c0d7414ae0a1b11e6dcf8213c756e40e075018769d191182a218bb3812c20cfc524dd494fdfc9c4c3e03e60e0a81c433b428c55f0e5843f468c14fba

Download Submit
C:\2501100.dll

Filesize
105KB

MD5
8a7da987f557fe19f07f23cfc5253bbf

SHA1
21011aad02a304487e58535150bf548c6e8ebff5

SHA256
d51690271c37b83b1656f6be6d8bd32559e6a36578c560827ff0235c8bb95c4d

SHA512
56573127c0d7414ae0a1b11e6dcf8213c756e40e075018769d191182a218bb3812c20cfc524dd494fdfc9c4c3e03e60e0a81c433b428c55f0e5843f468c14fba

Download Submit
C:\Program Files (x86)\Sdwu\Efkhrjqwa.bmp

Filesize
314KB

MD5
485fce7dbf3e39e21b1ce4d4761c21a0

SHA1
64ef83b0061c08b51039dd9b1e360fef549f83c7

SHA256
da203be2b3e0a091fc8f2a1e0d6bfa52897d1d0e6096317c7d1afcbfa1988314

SHA512
b9cc78b8ad8f025199a71c2a32d4635818239dc6ed0b60a0324f9c881f80273b4d1d6b3ff8291a2d4bbf0c11e305534834aa79d8e07679837c3e1e64676872d1

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
3d9948a92cfb6d58a04fd735d8a1675a

SHA1
4c69fddfeccd664850273ca9bd7ae4c4626aa51a

SHA256
d6efe2d83fdb9a1ecb1596dc5a5f39a922b163816ad92da5a0c8873b6c216f93

SHA512
c2279a766f428cf5b7360d873502050c1dcb9f927d88b0e85202471a6a670ff8546ea6bd972c25fa67646a47c18d2ea437371dbe8a1ed45eadd10d42112a9ead

Download Submit
\??\c:\program files (x86)\sdwu\efkhrjqwa.bmp

Filesize
314KB

MD5
485fce7dbf3e39e21b1ce4d4761c21a0

SHA1
64ef83b0061c08b51039dd9b1e360fef549f83c7

SHA256
da203be2b3e0a091fc8f2a1e0d6bfa52897d1d0e6096317c7d1afcbfa1988314

SHA512
b9cc78b8ad8f025199a71c2a32d4635818239dc6ed0b60a0324f9c881f80273b4d1d6b3ff8291a2d4bbf0c11e305534834aa79d8e07679837c3e1e64676872d1

Download Submit