gh0strat | a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
Size

301KB
MD5

5b8541f797032f9b010a2f366aa9a867
SHA1

6aed03c328cc6997bb9b3b3806da13aa9adde8b3
SHA256

a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a
SHA512

a2583eec3f7fbe728b76e09cbf110162399b3213cfa4ef1624407e3f2a4d4860370417a8905068ddd34e4986372c9b67c3e5368a447bae4b284efdf89f353efc
SSDEEP

6144:aygeFWURgCHsMMwCy2WPNsoozQ9bd2wFpgSOhCrdUvMyc:fgeFtgC5MwP9Nk+2wFySOhCrmvMyc

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000139f3-86.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\amd32_.sys	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe

Executes dropped EXE 2 IoCs

pid	Process
1152	gitjfnomi.exe
1628	gjgitjfno.exe

Loads dropped DLL 10 IoCs

pid	Process
2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
1152	gitjfnomi.exe
1152	gitjfnomi.exe
1152	gitjfnomi.exe
2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
1628	gjgitjfno.exe
1628	gjgitjfno.exe
1628	gjgitjfno.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loveuu.bat	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
File created	C:\Program Files\h\gjgitjfno.dll	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
File opened for modification	C:\Program Files\Common Files\qiuqiu.cpp	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
File created	C:\Program Files\Common Files\qiuqiu.cpp	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
File created	C:\Program Files\h\jgitjfnom.exe	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
File created	C:\Program Files\h\gjgitjfno.exe	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
File created	C:\Program Files\h\gitjfnomi.exe	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
616	sc.exe
1440	sc.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1152	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	28
PID 2028 wrote to memory of 1152	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	28
PID 2028 wrote to memory of 1152	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	28
PID 2028 wrote to memory of 1152	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	28
PID 2028 wrote to memory of 1152	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	28
PID 2028 wrote to memory of 1152	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	28
PID 2028 wrote to memory of 1152	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	28
PID 1152 wrote to memory of 1504	1152	gitjfnomi.exe	29
PID 1152 wrote to memory of 1504	1152	gitjfnomi.exe	29
PID 1152 wrote to memory of 1504	1152	gitjfnomi.exe	29
PID 1152 wrote to memory of 1504	1152	gitjfnomi.exe	29
PID 1152 wrote to memory of 1504	1152	gitjfnomi.exe	29
PID 1152 wrote to memory of 1504	1152	gitjfnomi.exe	29
PID 1152 wrote to memory of 1504	1152	gitjfnomi.exe	29
PID 2028 wrote to memory of 1628	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	31
PID 2028 wrote to memory of 1628	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	31
PID 2028 wrote to memory of 1628	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	31
PID 2028 wrote to memory of 1628	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	31
PID 2028 wrote to memory of 1628	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	31
PID 2028 wrote to memory of 1628	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	31
PID 2028 wrote to memory of 1628	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	31
PID 2028 wrote to memory of 616	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	32
PID 2028 wrote to memory of 616	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	32
PID 2028 wrote to memory of 616	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	32
PID 2028 wrote to memory of 616	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	32
PID 2028 wrote to memory of 616	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	32
PID 2028 wrote to memory of 616	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	32
PID 2028 wrote to memory of 616	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	32
PID 2028 wrote to memory of 1440	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	33
PID 2028 wrote to memory of 1440	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	33
PID 2028 wrote to memory of 1440	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	33
PID 2028 wrote to memory of 1440	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	33
PID 2028 wrote to memory of 1440	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	33
PID 2028 wrote to memory of 1440	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	33
PID 2028 wrote to memory of 1440	2028	a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe	33

C:\Users\Admin\AppData\Local\Temp\a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe
"C:\Users\Admin\AppData\Local\Temp\a960c9181512f9ec1cbafbcc728cea90390879afe28dcac1d410f9771d7ae32a.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\h\gitjfnomi.exe
  "C:\Program Files\h\gitjfnomi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Program Files\h\gitjfnomi.exe
    3⤵
    PID:1504
- C:\Program Files\h\gjgitjfno.exe
  "C:\Program Files\h\gjgitjfno.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1628
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:616
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\h\gitjfnomi.exe

Filesize
8.7MB

MD5
4f150d501a55796c55dfdea3b36a315e

SHA1
6d41b790cf5cba6d2cf57a9ada979ddbd525b867

SHA256
efe0d0e5bdd170e327cc53cd05a27c35c347396867a0ed4fbb18375775d60a36

SHA512
ac88ce332f69ed7df68cfde294a666b90b86714adfb3b0b6a1187f0766424f23fb77aea88e3b66453f50a9390d970466e846c5e7c77145a4bb04e6f515af4faa

Download Submit
C:\Program Files\h\gitjfnomi.exe

Filesize
8.7MB

MD5
4f150d501a55796c55dfdea3b36a315e

SHA1
6d41b790cf5cba6d2cf57a9ada979ddbd525b867

SHA256
efe0d0e5bdd170e327cc53cd05a27c35c347396867a0ed4fbb18375775d60a36

SHA512
ac88ce332f69ed7df68cfde294a666b90b86714adfb3b0b6a1187f0766424f23fb77aea88e3b66453f50a9390d970466e846c5e7c77145a4bb04e6f515af4faa

Download Submit
C:\Program Files\h\gjgitjfno.dll

Filesize
34.6MB

MD5
024a8e1687a2d2f0428fad6e1ff3b39e

SHA1
89619651e971eb2f7a1fd00cab0a80709ced713a

SHA256
9f346777e8cd4f80ba1f13331e1269d248a7efeb21c7766b23beb8484e7f06a1

SHA512
d0f12f2cadb0f94806c993a788afdcf29cb2cc1a0d3259db1eb2df010a3c09c031989fbcee7972c89a5c708be7d735c381bab312844e97acf75c10d98c73d53c

Download Submit
C:\Program Files\h\gjgitjfno.exe

Filesize
8.7MB

MD5
7556475804c1c4de2f25fef727e2a2fb

SHA1
bf1169acd1d1415dd58e332e58822adf92a19d9a

SHA256
5b740f557d8c9ce214f7a068c4b97a2a485d539834cf8bcf3ae04ffcffea3d1f

SHA512
b5f9f342ec9c311a488e1e9d29554228587966d4b25ad0f7445a4d5d7ff7e07e2d7366dacda8b45c9b5acf9613e99d714461b4ac35ff925ebcef303fd3def2c4

Download Submit
C:\Program Files\h\gjgitjfno.exe

Filesize
8.7MB

MD5
7556475804c1c4de2f25fef727e2a2fb

SHA1
bf1169acd1d1415dd58e332e58822adf92a19d9a

SHA256
5b740f557d8c9ce214f7a068c4b97a2a485d539834cf8bcf3ae04ffcffea3d1f

SHA512
b5f9f342ec9c311a488e1e9d29554228587966d4b25ad0f7445a4d5d7ff7e07e2d7366dacda8b45c9b5acf9613e99d714461b4ac35ff925ebcef303fd3def2c4

Download Submit
\Program Files\h\gitjfnomi.exe

Filesize
8.7MB

MD5
4f150d501a55796c55dfdea3b36a315e

SHA1
6d41b790cf5cba6d2cf57a9ada979ddbd525b867

SHA256
efe0d0e5bdd170e327cc53cd05a27c35c347396867a0ed4fbb18375775d60a36

SHA512
ac88ce332f69ed7df68cfde294a666b90b86714adfb3b0b6a1187f0766424f23fb77aea88e3b66453f50a9390d970466e846c5e7c77145a4bb04e6f515af4faa

Download Submit
\Program Files\h\gitjfnomi.exe

Filesize
8.7MB

MD5
4f150d501a55796c55dfdea3b36a315e

SHA1
6d41b790cf5cba6d2cf57a9ada979ddbd525b867

SHA256
efe0d0e5bdd170e327cc53cd05a27c35c347396867a0ed4fbb18375775d60a36

SHA512
ac88ce332f69ed7df68cfde294a666b90b86714adfb3b0b6a1187f0766424f23fb77aea88e3b66453f50a9390d970466e846c5e7c77145a4bb04e6f515af4faa

Download Submit
\Program Files\h\gitjfnomi.exe

Filesize
8.7MB

MD5
4f150d501a55796c55dfdea3b36a315e

SHA1
6d41b790cf5cba6d2cf57a9ada979ddbd525b867

SHA256
efe0d0e5bdd170e327cc53cd05a27c35c347396867a0ed4fbb18375775d60a36

SHA512
ac88ce332f69ed7df68cfde294a666b90b86714adfb3b0b6a1187f0766424f23fb77aea88e3b66453f50a9390d970466e846c5e7c77145a4bb04e6f515af4faa

Download Submit
\Program Files\h\gitjfnomi.exe

Filesize
8.7MB

MD5
4f150d501a55796c55dfdea3b36a315e

SHA1
6d41b790cf5cba6d2cf57a9ada979ddbd525b867

SHA256
efe0d0e5bdd170e327cc53cd05a27c35c347396867a0ed4fbb18375775d60a36

SHA512
ac88ce332f69ed7df68cfde294a666b90b86714adfb3b0b6a1187f0766424f23fb77aea88e3b66453f50a9390d970466e846c5e7c77145a4bb04e6f515af4faa

Download Submit
\Program Files\h\gitjfnomi.exe

Filesize
8.7MB

MD5
4f150d501a55796c55dfdea3b36a315e

SHA1
6d41b790cf5cba6d2cf57a9ada979ddbd525b867

SHA256
efe0d0e5bdd170e327cc53cd05a27c35c347396867a0ed4fbb18375775d60a36

SHA512
ac88ce332f69ed7df68cfde294a666b90b86714adfb3b0b6a1187f0766424f23fb77aea88e3b66453f50a9390d970466e846c5e7c77145a4bb04e6f515af4faa

Download Submit
\Program Files\h\gjgitjfno.exe

Filesize
8.7MB

MD5
7556475804c1c4de2f25fef727e2a2fb

SHA1
bf1169acd1d1415dd58e332e58822adf92a19d9a

SHA256
5b740f557d8c9ce214f7a068c4b97a2a485d539834cf8bcf3ae04ffcffea3d1f

SHA512
b5f9f342ec9c311a488e1e9d29554228587966d4b25ad0f7445a4d5d7ff7e07e2d7366dacda8b45c9b5acf9613e99d714461b4ac35ff925ebcef303fd3def2c4

Download Submit
\Program Files\h\gjgitjfno.exe

Filesize
8.7MB

MD5
7556475804c1c4de2f25fef727e2a2fb

SHA1
bf1169acd1d1415dd58e332e58822adf92a19d9a

SHA256
5b740f557d8c9ce214f7a068c4b97a2a485d539834cf8bcf3ae04ffcffea3d1f

SHA512
b5f9f342ec9c311a488e1e9d29554228587966d4b25ad0f7445a4d5d7ff7e07e2d7366dacda8b45c9b5acf9613e99d714461b4ac35ff925ebcef303fd3def2c4

Download Submit
\Program Files\h\gjgitjfno.exe

Filesize
8.7MB

MD5
7556475804c1c4de2f25fef727e2a2fb

SHA1
bf1169acd1d1415dd58e332e58822adf92a19d9a

SHA256
5b740f557d8c9ce214f7a068c4b97a2a485d539834cf8bcf3ae04ffcffea3d1f

SHA512
b5f9f342ec9c311a488e1e9d29554228587966d4b25ad0f7445a4d5d7ff7e07e2d7366dacda8b45c9b5acf9613e99d714461b4ac35ff925ebcef303fd3def2c4

Download Submit
\Program Files\h\gjgitjfno.exe

Filesize
8.7MB

MD5
7556475804c1c4de2f25fef727e2a2fb

SHA1
bf1169acd1d1415dd58e332e58822adf92a19d9a

SHA256
5b740f557d8c9ce214f7a068c4b97a2a485d539834cf8bcf3ae04ffcffea3d1f

SHA512
b5f9f342ec9c311a488e1e9d29554228587966d4b25ad0f7445a4d5d7ff7e07e2d7366dacda8b45c9b5acf9613e99d714461b4ac35ff925ebcef303fd3def2c4

Download Submit
\Program Files\h\gjgitjfno.exe

Filesize
8.7MB

MD5
7556475804c1c4de2f25fef727e2a2fb

SHA1
bf1169acd1d1415dd58e332e58822adf92a19d9a

SHA256
5b740f557d8c9ce214f7a068c4b97a2a485d539834cf8bcf3ae04ffcffea3d1f

SHA512
b5f9f342ec9c311a488e1e9d29554228587966d4b25ad0f7445a4d5d7ff7e07e2d7366dacda8b45c9b5acf9613e99d714461b4ac35ff925ebcef303fd3def2c4

Download Submit
memory/1152-72-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1152-73-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1152-75-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1152-66-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2028-57-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2028-56-0x00000000008F0000-0x000000000097F000-memory.dmp

Filesize
572KB

Download
memory/2028-59-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2028-64-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2028-58-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2028-55-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2028-65-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download