gh0strat | 060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32

Analysis

max time kernel
166s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Size

134KB
MD5

13eb7d3c5bd88098a92eeb42f58a2f75
SHA1

303ebcf2378cb16b36824465decc7bceb03fa1a8
SHA256

060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32
SHA512

fb0304e03cfa828980918edfe8d4435f73c9c562d0b1506bc43323e615d64bbfdef60d3a1e90b49bc0027c7074e91eb25e1d2617b7ec0027c955bd6845be0440
SSDEEP

3072:MMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwz5iGHeqovv:M3JVGpxx9b3wZuwz4GHeqo

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e59-132.dat	family_gh0strat
behavioral2/files/0x000b000000022e60-133.dat	family_gh0strat
behavioral2/files/0x000b000000022e60-134.dat	family_gh0strat
behavioral2/files/0x0006000000022e59-136.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 2 IoCs

pid	Process
1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
2544	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Qplq\Ksphckprn.gif	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
File created	C:\Program Files (x86)\Qplq\Ksphckprn.gif	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeBackupPrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeBackupPrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeBackupPrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
Token: SeRestorePrivilege	1008	060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe

C:\Users\Admin\AppData\Local\Temp\060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe
"C:\Users\Admin\AppData\Local\Temp\060b30329114dc79d904ceefaf4ae276c23691eef14997b20259597fcde28e32.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2592800.dll

Filesize
101KB

MD5
940cee512ad1de690a5ea964aeeb5824

SHA1
f5a1cc4f263fe80e9c0f21e075b1ad746714c96e

SHA256
4627eacd30ba1f21c05b3f5a24d9138003c08a26db346fd900712ece398a00ce

SHA512
2f570e2e349099a18dd68f5d8a533ed3c7b6f61905f759b68e636be459765b2af7b0169bb2904aa3f7d3fd9aa9bd1c2fcf81f77d08029bcd8996a5c02dc64758

Download Submit
C:\2592800.dll

Filesize
101KB

MD5
940cee512ad1de690a5ea964aeeb5824

SHA1
f5a1cc4f263fe80e9c0f21e075b1ad746714c96e

SHA256
4627eacd30ba1f21c05b3f5a24d9138003c08a26db346fd900712ece398a00ce

SHA512
2f570e2e349099a18dd68f5d8a533ed3c7b6f61905f759b68e636be459765b2af7b0169bb2904aa3f7d3fd9aa9bd1c2fcf81f77d08029bcd8996a5c02dc64758

Download Submit
C:\Program Files (x86)\Qplq\Ksphckprn.gif

Filesize
4.4MB

MD5
01e6bae03ad1db4c748344b4b64aee32

SHA1
765bc7438f2da938a07e980ffe39b8f9799a22c7

SHA256
0cbe23d2c0f603058ffdd4d229371c0ab20eda7218898810d26248fce504cd5a

SHA512
4ac056c219c6b0ba83c1861fc0776b19b8dcd197b906cdfe930925018e867580cc48f3d2630389cdc17e99bff7ac7c1bf2b22c6ec5b5a94e04bec1a4649c7bb0

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
d83a3de3e8391c9122d69e9dae318c0e

SHA1
93d9c55ac957b086a41ec1c4c5b4847e35fb7948

SHA256
23b341ace224a4ed6b1e17b2a21a7244b66dd718f949b635722d70b660cc435a

SHA512
87ee22cddac6bc6861f42fd6b30cfabeabfcfe6af9f8fd66f8c83d1579a63d8756638668c599d3ddce5cca5a5bdeba851acec4dc994dcc1d4173a13cdada5bc9

Download Submit
\??\c:\program files (x86)\qplq\ksphckprn.gif

Filesize
4.4MB

MD5
01e6bae03ad1db4c748344b4b64aee32

SHA1
765bc7438f2da938a07e980ffe39b8f9799a22c7

SHA256
0cbe23d2c0f603058ffdd4d229371c0ab20eda7218898810d26248fce504cd5a

SHA512
4ac056c219c6b0ba83c1861fc0776b19b8dcd197b906cdfe930925018e867580cc48f3d2630389cdc17e99bff7ac7c1bf2b22c6ec5b5a94e04bec1a4649c7bb0

Download Submit