gh0strat | 0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41

Analysis

max time kernel
198s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Size

142KB
MD5

c5ea3d05484e0cb03a67a34d5d3b2b7f
SHA1

e07b876cc2215c31432a4297e38248a01f6e5b0b
SHA256

0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41
SHA512

559ecd09a4fe164040721429520d9558c20176287a0bcec55b309692433905066d353fede2e17dd02ae24d64a14190813104a625f132d9b74dbcaa71e50882b2
SSDEEP

3072:BeQYPX1Sp7+tFDZzxqE/34pEX9yjZcwT+kBeqovQ5:B+EoFDB3E8YZcwT+Weqo45

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000300000002265d-132.dat	family_gh0strat
behavioral2/files/0x000d00000002317e-133.dat	family_gh0strat
behavioral2/files/0x000d00000002317e-134.dat	family_gh0strat
behavioral2/files/0x000300000002265d-136.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 2 IoCs

pid	Process
3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
2648	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Lkawkalbo.pic	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
File created	C:\Program Files (x86)\Common Files\Lkawkalbo.pic	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeBackupPrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeBackupPrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeBackupPrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
Token: SeRestorePrivilege	3088	0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe

C:\Users\Admin\AppData\Local\Temp\0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe
"C:\Users\Admin\AppData\Local\Temp\0df58c6ffa752acc450cd3e3a3ad289e9e984c47bd04c178100c96b0f39cdb41.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\788900.dll

Filesize
105KB

MD5
1b7b76541a8c093012e5e2452c52a4cd

SHA1
034a7b5081f9ee32b6d553b8dd830c443c055396

SHA256
1c50578c03e60ec213cf80c816359996286e27ea3e8843c7685fc5e59a1b8ab6

SHA512
cbb6799992fa805c2e7a3c7ea203b9c1b1b43e7262ecf10ce87d795da8a1cd641570cc40840f34a7ef78e5fe22028d3b6438e6b089fea662851d4523eb1a0926

Download Submit
C:\788900.dll

Filesize
105KB

MD5
1b7b76541a8c093012e5e2452c52a4cd

SHA1
034a7b5081f9ee32b6d553b8dd830c443c055396

SHA256
1c50578c03e60ec213cf80c816359996286e27ea3e8843c7685fc5e59a1b8ab6

SHA512
cbb6799992fa805c2e7a3c7ea203b9c1b1b43e7262ecf10ce87d795da8a1cd641570cc40840f34a7ef78e5fe22028d3b6438e6b089fea662851d4523eb1a0926

Download Submit
C:\Program Files (x86)\Common Files\Lkawkalbo.pic

Filesize
4.1MB

MD5
cc67c17227dadef0f5871fb7702ba742

SHA1
3b2a75ccb92db2816818b8d04f628c4e1662021f

SHA256
d069f19aaa19640a74ca504f3b854de9783d6906b0ff3c0784f870f4e836c5a5

SHA512
4d96ff0e5d7ce004615fc0141cfc37641bad81b0dd117d5d1540dfddd1ddfa9ba15aea211991fc97c681dfdee6aa377da0f2d6b1e5c9c07aab3eefb15396e219

Download Submit
\??\c:\NT_Path.jpg

Filesize
116B

MD5
c1bd9c305de52b384055c4b3ba1f8006

SHA1
5bcd9ef6d3978837688b97217e328f3a5eac249b

SHA256
9b6b54d727b808d6ddd8b6ddaa8fbd1d2577ed6c3a61b0043d10ad977f0c5dc4

SHA512
cb75affc445018d2a056bdd54b10b91e013c9cedfdeab58458d8c368559e4c50350530d70062c052800810b30024090e69bdf6246c0301bb267c28530aed4ad5

Download Submit
\??\c:\program files (x86)\common files\lkawkalbo.pic

Filesize
4.1MB

MD5
cc67c17227dadef0f5871fb7702ba742

SHA1
3b2a75ccb92db2816818b8d04f628c4e1662021f

SHA256
d069f19aaa19640a74ca504f3b854de9783d6906b0ff3c0784f870f4e836c5a5

SHA512
4d96ff0e5d7ce004615fc0141cfc37641bad81b0dd117d5d1540dfddd1ddfa9ba15aea211991fc97c681dfdee6aa377da0f2d6b1e5c9c07aab3eefb15396e219

Download Submit