gh0strat | dfe88c225ba76e233c2dced11d32b3cf994466692dd8ab85be655907231e8acb

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1433.exe
Size

89KB
MD5

5aba57f11f1176d0a81dc28af9e77bdc
SHA1

efd087836b0bdd281b984bde113ab7f234cb38da
SHA256

4cc6f99c47bac7dd9f849aed8b0509511d5015efc80a284ba9a66cc60a36a559
SHA512

12ff3484fd7cfa6f290159a32e689f5130932806b4b2ccedae888eff30f420686ebefcdf5bb3e1013257830fc64f925cd26f776855ffb0b48465de64420ed59d
SSDEEP

1536:A9IywkUpmqyz2Wq9/lwiMbtzW56lq1eFd6+BHy7dHc4uNg/t4Bu6:A9IYiy6bjkDkMvHB8cj46

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral25/memory/1380-55-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral25/memory/1380-56-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral25/memory/1380-60-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral25/memory/908-69-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral25/memory/908-70-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral25/memory/908-71-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral25/files/0x000a000000012313-72.dat	family_gh0strat
behavioral25/files/0x000a000000012313-73.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
908	eqjsmesvkb

Deletes itself 1 IoCs

pid	Process
908	eqjsmesvkb

Loads dropped DLL 2 IoCs

pid	Process
1380	1433.exe
1008	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
908	eqjsmesvkb

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	908	eqjsmesvkb
Token: SeBackupPrivilege	908	eqjsmesvkb
Token: SeBackupPrivilege	908	eqjsmesvkb
Token: SeRestorePrivilege	908	eqjsmesvkb

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 908	1380	1433.exe	27
PID 1380 wrote to memory of 908	1380	1433.exe	27
PID 1380 wrote to memory of 908	1380	1433.exe	27
PID 1380 wrote to memory of 908	1380	1433.exe	27
PID 1380 wrote to memory of 908	1380	1433.exe	27
PID 1380 wrote to memory of 908	1380	1433.exe	27
PID 1380 wrote to memory of 908	1380	1433.exe	27

C:\Users\Admin\AppData\Local\Temp\1433.exe
"C:\Users\Admin\AppData\Local\Temp\1433.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380
- \??\c:\users\admin\appdata\local\eqjsmesvkb
  "C:\Users\Admin\AppData\Local\Temp\1433.exe" a -sc:\users\admin\appdata\local\temp\1433.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eqjsmesvkb

Filesize
22.2MB

MD5
15026e4a785423887638b79c76ff2ef5

SHA1
a412c553e2a31857100f356a516c7a7ca2f83cd3

SHA256
dd778e9bee98127a97ab1dba6dc0ba17466098aad594807733fcdecde4122a04

SHA512
a293df2ae768f747f9ca67e87b54294ab55cb6e796d95a2db561e0c09ee45510ee85ea2cbadacfbdadcbac4f62e68c4397dc728964d74bf27e2d2841b6db0567

Download Submit
\??\c:\programdata\drm\%sessionname%\kgmqd.cc3

Filesize
3.7MB

MD5
f5374c7bdba66232654820d588afff3c

SHA1
e18546c29f69832b93b92c0eb5866baa4f5ca0f1

SHA256
92f095ecb106338dad37f1dd1a942dc14d77ad1f8d01b11d2dcb4abaec93c551

SHA512
d90ca4e5c80500193d87ccc4657c571415f7ff05fd7dbff0a2e62d2fefd174127d49567e86644a193aa1e6a007133562a74b27280ed4419adff7ff7371867897

Download Submit
\??\c:\users\admin\appdata\local\eqjsmesvkb

Filesize
22.2MB

MD5
15026e4a785423887638b79c76ff2ef5

SHA1
a412c553e2a31857100f356a516c7a7ca2f83cd3

SHA256
dd778e9bee98127a97ab1dba6dc0ba17466098aad594807733fcdecde4122a04

SHA512
a293df2ae768f747f9ca67e87b54294ab55cb6e796d95a2db561e0c09ee45510ee85ea2cbadacfbdadcbac4f62e68c4397dc728964d74bf27e2d2841b6db0567

Download Submit
\ProgramData\DRM\%SESSIONNAME%\kgmqd.cc3

Filesize
2.8MB

MD5
6d864441407ed6ae3aa1bcab6c356244

SHA1
2353884347106bd0a205ad34754b1b683e84a21d

SHA256
a3c0b82b02a68e65e685f0820bd28e8be572877649668ec485c9b40f4f9cfb84

SHA512
65aed289d3b196d67ce8d5b5cced765cecd107319f4de482ad8467a410b951d3c9799d703a981696cac86d31a7ca76e9e08411707c7cccf755b6ad5e8613eda3

Download Submit
\Users\Admin\AppData\Local\eqjsmesvkb

Filesize
22.2MB

MD5
15026e4a785423887638b79c76ff2ef5

SHA1
a412c553e2a31857100f356a516c7a7ca2f83cd3

SHA256
dd778e9bee98127a97ab1dba6dc0ba17466098aad594807733fcdecde4122a04

SHA512
a293df2ae768f747f9ca67e87b54294ab55cb6e796d95a2db561e0c09ee45510ee85ea2cbadacfbdadcbac4f62e68c4397dc728964d74bf27e2d2841b6db0567

Download Submit
memory/908-71-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/908-70-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/908-69-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1380-58-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1380-66-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1380-62-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1380-61-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1380-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1380-59-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-57-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1380-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1380-55-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download