gh0strat | 8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c

Analysis

max time kernel
37s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 00:59

Target

8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c.exe
Size

137KB
MD5

2ec81629c444464a87667e8ceea85430
SHA1

57b0a1fba62ce2d3171b36e59d19cec8dd8a07d2
SHA256

8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c
SHA512

06450ace7505c57c083b1f0002ef57aebbe597a1a3514f3c456994576073c9329da48e6f1007a17bd56acd2510f8138c8bd02073d0292ea14fabd53357acfb34
SSDEEP

3072:3QhZkOLfuDg0PtOqzKONqsEykRLSDhoBy5AlBu2K2rtNtJAbT:LOFStZzKqqsE6aB3gr2rFO

Score

10^/10

gh0strat rat upx

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1488-57-0x0000000010000000-0x000000001003B000-memory.dmp	family_gh0strat
behavioral1/memory/1488-58-0x0000000010000000-0x000000001003B000-memory.dmp	family_gh0strat
behavioral1/memory/1488-59-0x0000000010000000-0x000000001003B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1488-55-0x0000000010000000-0x000000001003B000-memory.dmp	upx
behavioral1/memory/1488-57-0x0000000010000000-0x000000001003B000-memory.dmp	upx
behavioral1/memory/1488-58-0x0000000010000000-0x000000001003B000-memory.dmp	upx
behavioral1/memory/1488-59-0x0000000010000000-0x000000001003B000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1488	8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c.exe
1488	8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c.exe
1488	8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c.exe

C:\Users\Admin\AppData\Local\Temp\8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c.exe
"C:\Users\Admin\AppData\Local\Temp\8e9da17695100eb328b7bf22cd6758502778a503ab2dfdb81745d4a96b5ae09c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1488-57-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1488-58-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1488-59-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download