gh0strat | 83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114

Analysis

max time kernel
142s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe
Size

88KB
MD5

d62bccacda615cbaacb022d1f37ce567
SHA1

e50dd823962b5219afe54866bfb0e7ba19824a68
SHA256

83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114
SHA512

76768fc44ce4a0ff37af8587ce2dc0f07953c371878c739ab4271a047a69a9ef64b9f1ee5f9991c753b7ca1873414dfd4f5d47a2f06202e9637d319d76b1fb90
SSDEEP

1536:mAhTyTTFQNC13U4rtnDb4tmJAuxJbCEryyfw6hqgrAjl+OP+ftTI00MRmhe:LhT2137DYmJAuxx9wPgrYl+OP+y00MRZ

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000126d7-56.dat	family_gh0strat
behavioral1/files/0x000b0000000126d7-58.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1652	ghost-7666.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
360	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1652	1000	83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe	28
PID 1000 wrote to memory of 1652	1000	83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe	28
PID 1000 wrote to memory of 1652	1000	83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe	28
PID 1000 wrote to memory of 1652	1000	83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe	28
PID 1000 wrote to memory of 1652	1000	83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe	28
PID 1000 wrote to memory of 1652	1000	83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe	28
PID 1000 wrote to memory of 1652	1000	83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe	28

C:\Users\Admin\AppData\Local\Temp\83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe
"C:\Users\Admin\AppData\Local\Temp\83f9878a9b2bbda7e88f88df63947efd9c55afe50abfff7a28f4c7df4aafe114.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\ghost-7666.exe
  "C:\ghost-7666.exe"
  2⤵
  - Executes dropped EXE
  PID:1652

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Z5A[7BNJADPB2L1)UJ5(HW6.jpg

Filesize
8KB

MD5
17155775bb5e326c5799815f269b28d3

SHA1
5c1ceda496dc2beb562932f33d964ae492fb99e5

SHA256
b2412e5b49fffa71f6faa4b0d58b875713dbae9d4bdbecff7de7ed7e2ace1f7b

SHA512
4e0565a8b9a7b06255d8952225003f9764729c3f2d968a0aa8b9fcecfa42c323d9e45f171687485db0b4330232454a2b3f444cb56799cc8d2a8307ce806a55a0

Download Submit
C:\ghost-7666.exe

Filesize
106KB

MD5
f341f88c091e2dd581193eeeb5b3e0cb

SHA1
287f0dbfcff08b43804f83fc9a05fd94ebe590c0

SHA256
b3909e8f88e6a7971d8593b54a1cc174088f5abc63c80b12cfd82cb38de2fa9a

SHA512
7e10ba5e5fce92232c775d94441d782b86a638b099894bf74238fc50e4e296803d2d53d5da48eef4debc3d7d737778f3d7b5f9ece53956917788a2c2ca953479

Download Submit
C:\ghost-7666.exe

Filesize
106KB

MD5
f341f88c091e2dd581193eeeb5b3e0cb

SHA1
287f0dbfcff08b43804f83fc9a05fd94ebe590c0

SHA256
b3909e8f88e6a7971d8593b54a1cc174088f5abc63c80b12cfd82cb38de2fa9a

SHA512
7e10ba5e5fce92232c775d94441d782b86a638b099894bf74238fc50e4e296803d2d53d5da48eef4debc3d7d737778f3d7b5f9ece53956917788a2c2ca953479

Download Submit
memory/1000-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download