gh0strat | 060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32

Analysis

max time kernel
188s
max time network
104s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Size

134KB
MD5

13eb7d3c5bd88098a92eeb42f58a2f75
SHA1

303ebcf2378cb16b36824465decc7bceb03fa1a8
SHA256

060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32
SHA512

fb0304e03cfa828980918edfe8d4435f73c9c562d0b1506bc43323e615d64bbfdef60d3a1e90b49bc0027c7074e91eb25e1d2617b7ec0027c955bd6845be0440
SSDEEP

3072:MMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwz5iGHeqovv:M3JVGpxx9b3wZuwz4GHeqo

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000133db-55.dat	family_gh0strat
behavioral1/files/0x000b0000000133db-56.dat	family_gh0strat
behavioral1/files/0x000a000000012722-59.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1504	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Qplq\Ksphckprn.gif	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
File created	C:\Program Files (x86)\Qplq\Ksphckprn.gif	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeBackupPrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeBackupPrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeBackupPrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	2016	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe

C:\Users\Admin\AppData\Local\Temp\060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
"C:\Users\Admin\AppData\Local\Temp\060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1552700.dll

Filesize
101KB

MD5
940cee512ad1de690a5ea964aeeb5824

SHA1
f5a1cc4f263fe80e9c0f21e075b1ad746714c96e

SHA256
4627eacd30ba1f21c05b3f5a24d9138003c08a26db346fd900712ece398a00ce

SHA512
2f570e2e349099a18dd68f5d8a533ed3c7b6f61905f759b68e636be459765b2af7b0169bb2904aa3f7d3fd9aa9bd1c2fcf81f77d08029bcd8996a5c02dc64758

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
6d059af7051ea4d268c4f98cd21532bb

SHA1
2c726400ead3826a36c93b223ac2c12362c4f0bf

SHA256
0f490fc399aaaa70b8f9fbe21a0894a92bf8a12d7ae43704b33730d2db0f3ab9

SHA512
7e9159368dccf835acd4ceeef83a62f71ddf8f655d70832f8d14608e92746c9e0e634ebe63c16bf294300608cf8473e743c4b729b816f9bc68dcbfcb09f7d470

Download Submit
\??\c:\program files (x86)\qplq\ksphckprn.gif

Filesize
11.7MB

MD5
380d3966fbe7aa500cde01276f8cbc5d

SHA1
74889ed846243611b256bafc95f847b6cb07210a

SHA256
a3e41976efb3ee93cbce3f4ee7fc7cc230a1c25627f273eb747029b12070f455

SHA512
07d5c5026bbc9561530141387df8c33a061218a1126754cefa0df42ed5664bc319e8591739d27472697fcb21653e1f2043cae565038f1d7f5caa4aa862c98a34

Download Submit
\Program Files (x86)\Qplq\Ksphckprn.gif

Filesize
11.7MB

MD5
380d3966fbe7aa500cde01276f8cbc5d

SHA1
74889ed846243611b256bafc95f847b6cb07210a

SHA256
a3e41976efb3ee93cbce3f4ee7fc7cc230a1c25627f273eb747029b12070f455

SHA512
07d5c5026bbc9561530141387df8c33a061218a1126754cefa0df42ed5664bc319e8591739d27472697fcb21653e1f2043cae565038f1d7f5caa4aa862c98a34

Download Submit
memory/2016-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download