gh0strat | c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74

Analysis

max time kernel
151s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Size

83KB
MD5

9ea10769a44c13354db57f6fc2d01228
SHA1

9762e68168b428073a4550698926dfd36c2d9c8a
SHA256

c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74
SHA512

5ae20bf04d1733f0bbc272e85995b1d0636b528dc06fe4896c09852a5f6afbe6f2d25c1faf952d38f11be0f9cf345bfda5e5acac7539fa149e1ae13ceca715a1
SSDEEP

1536:vov8KAfHKom0o2CFxAhFbzFHFzwY2b6zhixWWLsZWK3hHGD6dFI:gteqovoTFChFblFds2i+ZPJ2EFI

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/3140-132-0x0000000000400000-0x000000000043D000-memory.dmp	family_gh0strat
behavioral2/files/0x0004000000022dbd-133.dat	family_gh0strat
behavioral2/files/0x0006000000022de5-134.dat	family_gh0strat
behavioral2/files/0x0006000000022de5-135.dat	family_gh0strat
behavioral2/files/0x0004000000022dbd-137.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 2 IoCs

pid	Process
3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
616	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Letj\Tskxencvq.jpg	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
File created	C:\Program Files (x86)\Letj\Tskxencvq.jpg	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\NetSubKey	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Token: SeRestorePrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Token: SeBackupPrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Token: SeRestorePrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Token: SeBackupPrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Token: SeRestorePrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Token: SeBackupPrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
Token: SeRestorePrivilege	3140	c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe

C:\Users\Admin\AppData\Local\Temp\c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe
"C:\Users\Admin\AppData\Local\Temp\c73113228c08c10eb206e1d32c37e92c38c526a42d70357042aee41e7c6c1d74.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2581900.dll

Filesize
101KB

MD5
e4f86e223ecfaf6f4d872e85a676cac3

SHA1
b624a146f51694dbe21a144a915b0bc09c88b4ec

SHA256
1def30f1927668581deb10561ad4ab2d135fb9bfcfc0d31af480a72e3cad7e27

SHA512
b97e0259640dc2b4614a25b441caef6db7265b0e3c92f348d2199c0e56116e750af5f57b7c484e8e7158ee318f245184560de55f33c3a92148c52928211ac5c8

Download Submit
C:\2581900.dll

Filesize
101KB

MD5
e4f86e223ecfaf6f4d872e85a676cac3

SHA1
b624a146f51694dbe21a144a915b0bc09c88b4ec

SHA256
1def30f1927668581deb10561ad4ab2d135fb9bfcfc0d31af480a72e3cad7e27

SHA512
b97e0259640dc2b4614a25b441caef6db7265b0e3c92f348d2199c0e56116e750af5f57b7c484e8e7158ee318f245184560de55f33c3a92148c52928211ac5c8

Download Submit
C:\Program Files (x86)\Letj\Tskxencvq.jpg

Filesize
9.7MB

MD5
da30c089ef012d77b847b7f49372072a

SHA1
c591f81d32423f1ec0b3d1dec494b452ded2ab38

SHA256
8e31d484aefa7974b59e81e95aec6f5bbadfc0e006d375fe9bfee87d26b34c28

SHA512
b50944385a9b2b41c6e4d5ed5652cab670cda62702ffa18c7b60411d4f10eae0c7c20f54be88a0ad62ccc987b911c02d71f643e15933e2e3d5dd35f4764f1ded

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
4242cd560f78300680f7ad46bcded479

SHA1
c1607f8329691baac289a0fef4ba63fa1529cfad

SHA256
b63a1707f74430adfa53a93e44bd48c0f82b63463cbceccd7e7dd2971a365a5a

SHA512
b02863682709d0f62d2701517575b8950e8ac31f56b8699e518ddfdf5753daa67f029120a55481af69fd095346bb3a22e0c0ca5b7eb668ae919a61ab2c5acb02

Download Submit
\??\c:\program files (x86)\letj\tskxencvq.jpg

Filesize
9.7MB

MD5
da30c089ef012d77b847b7f49372072a

SHA1
c591f81d32423f1ec0b3d1dec494b452ded2ab38

SHA256
8e31d484aefa7974b59e81e95aec6f5bbadfc0e006d375fe9bfee87d26b34c28

SHA512
b50944385a9b2b41c6e4d5ed5652cab670cda62702ffa18c7b60411d4f10eae0c7c20f54be88a0ad62ccc987b911c02d71f643e15933e2e3d5dd35f4764f1ded

Download Submit
memory/3140-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download