gh0strat | 2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c

Analysis

max time kernel
153s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Size

148KB
MD5

9507750f27baef1c5df41867d03ec96a
SHA1

5ba961185b9c4fff620e70af060fb1d231a6d6a1
SHA256

2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c
SHA512

16eaec7c329ea3c68e7a4d22108e8df84b708895ca321b59155fe822efc391289f65390b5fb09cbed55d677f8d30998018baaba187d02762fe7e878e5e4ac6cb
SSDEEP

3072:Y8wZSQpKa3VGVnpUlCz764/9xpEEBqbZuwpAWvGj:YnJVGpxx9b3wZuwpAWvG

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e39-132.dat	family_gh0strat
behavioral2/files/0x0004000000000725-133.dat	family_gh0strat
behavioral2/files/0x0004000000000725-134.dat	family_gh0strat
behavioral2/files/0x0007000000022e39-136.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 2 IoCs

pid	Process
2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
796	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FileName.jpg	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
File opened for modification	C:\Windows\FileName.jpg	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe
796	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Token: SeRestorePrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Token: SeBackupPrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Token: SeRestorePrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Token: SeBackupPrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Token: SeRestorePrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Token: SeBackupPrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
Token: SeRestorePrivilege	2972	2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe

C:\Users\Admin\AppData\Local\Temp\2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
"C:\Users\Admin\AppData\Local\Temp\2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2397000.dll

Filesize
130KB

MD5
e706a3120c0e6c16595932f4ebaa040b

SHA1
471a0c1ce2ae43df4351ddbc493a0b698b3a49bb

SHA256
0dbdeadd62b95e633a5ec98e698b7f8fb22360e42b2e26fdef1ae4ec2fe30707

SHA512
32cf320a76c69987c529158929861563262478200889c913b2e9fd8ffb9b25ff64ba40bf3e24e2e5f183f5c788d1a50f8fcb1280d23fb875260ff50906235a0d

Download Submit
C:\2397000.dll

Filesize
130KB

MD5
e706a3120c0e6c16595932f4ebaa040b

SHA1
471a0c1ce2ae43df4351ddbc493a0b698b3a49bb

SHA256
0dbdeadd62b95e633a5ec98e698b7f8fb22360e42b2e26fdef1ae4ec2fe30707

SHA512
32cf320a76c69987c529158929861563262478200889c913b2e9fd8ffb9b25ff64ba40bf3e24e2e5f183f5c788d1a50f8fcb1280d23fb875260ff50906235a0d

Download Submit
C:\Windows\FileName.jpg

Filesize
1006KB

MD5
62efb11201d5638b633673bd3693a24f

SHA1
2ad035dd6f1b65746cfceec9e4750eeb3f505e58

SHA256
2c098c01308f9a5e80145c784bdc0a5bc88387b96f541f2802c9f4df967c4906

SHA512
bef1ad3ab1de5c0761ad198e871239473d5cbb205f997f6d006952bf960ce1fedefb66a2d9e563074ebf6db670180a04c39bb87f5ce661c39c288d24c29061d2

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
6624f79909035a1c3752b02ce356c997

SHA1
b43d29e58303b6648a701635368e95824c535956

SHA256
89abc37cc9c0a591db649a5175ac8fe5172431f96e10f6042525b7ea2e621b00

SHA512
1a512961fe5803897f69799558d5f8312a43111fb026baf61abc107dd0ddc7ca63bb821dc698ef28428898e60808e87043a937f2f2c92bd8bc4c67103329ec6f

Download Submit
\??\c:\windows\filename.jpg

Filesize
1006KB

MD5
62efb11201d5638b633673bd3693a24f

SHA1
2ad035dd6f1b65746cfceec9e4750eeb3f505e58

SHA256
2c098c01308f9a5e80145c784bdc0a5bc88387b96f541f2802c9f4df967c4906

SHA512
bef1ad3ab1de5c0761ad198e871239473d5cbb205f997f6d006952bf960ce1fedefb66a2d9e563074ebf6db670180a04c39bb87f5ce661c39c288d24c29061d2

Download Submit