gh0strat | 0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41

Analysis

max time kernel
151s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Size

142KB
MD5

c5ea3d05484e0cb03a67a34d5d3b2b7f
SHA1

e07b876cc2215c31432a4297e38248a01f6e5b0b
SHA256

0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41
SHA512

559ecd09a4fe164040721429520d9558c20176287a0bcec55b309692433905066d353fede2e17dd02ae24d64a14190813104a625f132d9b74dbcaa71e50882b2
SSDEEP

3072:BeQYPX1Sp7+tFDZzxqE/34pEX9yjZcwT+kBeqovQ5:B+EoFDB3E8YZcwT+Weqo45

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122eb-55.dat	family_gh0strat
behavioral1/files/0x000d0000000122eb-56.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-59.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
892	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
892	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Lkawkalbo.pic	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
File created	C:\Program Files (x86)\Common Files\Lkawkalbo.pic	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe
892	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeBackupPrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeBackupPrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeBackupPrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	1972	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe

C:\Users\Admin\AppData\Local\Temp\0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
"C:\Users\Admin\AppData\Local\Temp\0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1562400.dll

Filesize
105KB

MD5
1b7b76541a8c093012e5e2452c52a4cd

SHA1
034a7b5081f9ee32b6d553b8dd830c443c055396

SHA256
1c50578c03e60ec213cf80c816359996286e27ea3e8843c7685fc5e59a1b8ab6

SHA512
cbb6799992fa805c2e7a3c7ea203b9c1b1b43e7262ecf10ce87d795da8a1cd641570cc40840f34a7ef78e5fe22028d3b6438e6b089fea662851d4523eb1a0926

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
edc90bc0b58df933ec53f49805dce3c0

SHA1
84d4cb683c696e187588902a9183263258c5a358

SHA256
339787ac66040897ca4615d0f5af00b117a4c678dfc1834c96d0195140600b8c

SHA512
d72ac9db21de5fd560446f7bb49256ab86676aa0a80536d6a85836dfaff214417ac79393a0e78264d0ed4c47b2f2ed1224c16f337d9204760dcae8a274b238ee

Download Submit
\??\c:\program files (x86)\common files\lkawkalbo.pic

Filesize
1.6MB

MD5
685f4bb178ad6cab0edb6ffdf780577c

SHA1
a54e2888cc870d5f1ee6d8079c113a05261110d3

SHA256
6181de5044b243d055773d14d5de448e6e70a3c8a4b982c4ff4e6bedf99c80fa

SHA512
a25e5bd41c3f38144c3084b7dc9c90503ce047a37ce917ce6f430197313cee357cb3031bf522bf7cffac0a5d4f0850b1f08c855f04bdeef20be67b12a0b9850e

Download Submit
\Program Files (x86)\Common Files\Lkawkalbo.pic

Filesize
1.6MB

MD5
685f4bb178ad6cab0edb6ffdf780577c

SHA1
a54e2888cc870d5f1ee6d8079c113a05261110d3

SHA256
6181de5044b243d055773d14d5de448e6e70a3c8a4b982c4ff4e6bedf99c80fa

SHA512
a25e5bd41c3f38144c3084b7dc9c90503ce047a37ce917ce6f430197313cee357cb3031bf522bf7cffac0a5d4f0850b1f08c855f04bdeef20be67b12a0b9850e

Download Submit
memory/1972-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download