gh0strat | fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 07:01

Target

fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Size

143KB
MD5

debc4110e4f83e15d9775e0b701b543c
SHA1

59f852457a38d6f9a2048d2fc40521ef11f21fce
SHA256

fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672
SHA512

86c470380b444382d952938414a7603c549f43a7e2cfbd6c389313016764c38472a8fad8b6e1ae6ab7d3f6a5b4ed63414220a39a8bccee7cebe2a8416dd09bb7
SSDEEP

3072:yywZSQpKa3VGVnpUlCz764/9xpEEBqbZuwk5iGMuRqovC:y5JVGpxx9b3wZuwk4Glqo

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001318e-55.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-58.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1380	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\FileName.jpg	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
File created	C:\Windows\FileName.jpg	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Token: SeRestorePrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Token: SeBackupPrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Token: SeRestorePrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Token: SeBackupPrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Token: SeRestorePrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Token: SeBackupPrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe
Token: SeRestorePrivilege	1556	fe570af16d3602ce58eb9ff25546c24f2388bf093618a4215f0d5138dbbf3672.exe

C:\1605900.dll

Filesize
101KB

MD5
549c8de8ab07f88123e0e6bdb70dd073

SHA1
d23f0586159dacdd3d96a7a88bcae1529873f85f

SHA256
79cb99f704006b0dd2b1a29ce5019d1f6d8958500bfebc7f4f9ff62ef97ae888

SHA512
492b02bf6311d55cde4a2f15f8d171ebcee622e1b7419b74b5392b5cb145a11ff5b30c2db138d97b566ddc8ee239cb1ed8920c3e4e60a9868e13b4e278df8126

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
069bac34c61eb79610e3d13d9b8a9bd9

SHA1
290ab27b0c49ab8e8844afc87416b8dd8004ff90

SHA256
7f877620339897a2a8e569464aa2179101d998d510ae74a88c686daa44fda58e

SHA512
02cbd5740b3172ba43ee3b9335a0a4cd16849386063de804560c40135a362070312ab4714029c69289f3f55af8b5f017df9a76119b7f215672143b6e10b4ee25

Download Submit
\??\c:\windows\filename.jpg

Filesize
2.3MB

MD5
54fda65bdb5c5d052f77efd9ab60f6a9

SHA1
c6375fb17ef04edbb575a4e3aca6c8c84ad47f44

SHA256
5aae908e74b0030e0b77c3897b3df5ee6db9e837e5ca7bde04522cb8a374a996

SHA512
ea703087a43c40eb145ed546049202c2f75f77ce62e4e7791914a9b2a0d497f61fba64bcf6d34b66c67b263ffd27e6c8ef340a4a04cbb72df109df70c8b434a9

Download Submit
memory/1556-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download