gh0strat | f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
22-12-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe
Size

185KB
MD5

b11e7218cb481804403951feca2b5c23
SHA1

734dd67c960c786c2c55026605d5702dae6d0d86
SHA256

f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721
SHA512

6b7226dec6aa578c6a7f8c179be95604eaf426003d1726b47ebe18f31848df7d018b1396b49c07f4a6366b05b77382f40dc8b94907fb475828f63040e8acd073
SSDEEP

3072:2R1+aJe1mgawzxsBub861jIHxowh8j6X/3VGVnpUlCz764/9xpEEBqbZuwSy/Gmo:2RUTV5nA8j6XPVGpxx9b3wZuwSOGmYTJ

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-57.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-58.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-60.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-61.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-62.dat	family_gh0strat
behavioral1/files/0x000a0000000144ba-63.dat	family_gh0strat
behavioral1/files/0x000a0000000144ba-64.dat	family_gh0strat
behavioral1/files/0x00080000000142c0-67.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1540	Jinqrk.exe

Loads dropped DLL 5 IoCs

pid	Process
1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe
1540	Jinqrk.exe
1540	Jinqrk.exe
1540	Jinqrk.exe
560	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jinqrk.exe	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TvbPlayer\135.jpg	Jinqrk.exe
File created	C:\Program Files (x86)\TvbPlayer\135.jpg	Jinqrk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\NetSubKey	svchost.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe
560	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1540	Jinqrk.exe
Token: SeRestorePrivilege	1540	Jinqrk.exe
Token: SeBackupPrivilege	1540	Jinqrk.exe
Token: SeRestorePrivilege	1540	Jinqrk.exe
Token: SeBackupPrivilege	1540	Jinqrk.exe
Token: SeRestorePrivilege	1540	Jinqrk.exe
Token: SeBackupPrivilege	1540	Jinqrk.exe
Token: SeRestorePrivilege	1540	Jinqrk.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1540	1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe	27
PID 1708 wrote to memory of 1540	1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe	27
PID 1708 wrote to memory of 1540	1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe	27
PID 1708 wrote to memory of 1540	1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe	27
PID 1708 wrote to memory of 1540	1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe	27
PID 1708 wrote to memory of 1540	1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe	27
PID 1708 wrote to memory of 1540	1708	f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe	27

C:\Users\Admin\AppData\Local\Temp\f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe
"C:\Users\Admin\AppData\Local\Temp\f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Jinqrk.exe
  "C:\Windows\System32\Jinqrk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\58400.dll

Filesize
113KB

MD5
8ac6d30b724bd5669cc6d062da672d9b

SHA1
a972660927e926576b492bddbf48f8b920965159

SHA256
3f299a304c3781e36dc7746ec4193e1df76df55303e65b4de2b70df0c3259498

SHA512
bfc6ff7edaa603bb6bb586c2a66f9b1110bc54544561cb7ca033dcce7ab87652624cbd10fdd2cfe1c6ac6f6de9772b2767ad4d3e76977d9960aaf2c839fb829f

Download Submit
C:\Windows\SysWOW64\Jinqrk.exe

Filesize
145KB

MD5
97e4261c496accf6eecb9d1f37fb1074

SHA1
951c902816a0ca83769dfdbd34e898d6bcb4af7d

SHA256
f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

SHA512
1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

Download Submit
C:\Windows\SysWOW64\Jinqrk.exe

Filesize
145KB

MD5
97e4261c496accf6eecb9d1f37fb1074

SHA1
951c902816a0ca83769dfdbd34e898d6bcb4af7d

SHA256
f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

SHA512
1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

Download Submit
\??\c:\NT_Path.jpg

Filesize
43B

MD5
4ff584fb0bbb2334a5b0b2ee37b500bf

SHA1
b71f3dca2751aef879d63e78b3ce87455a3e8922

SHA256
6f8015ee8e63e182af311483055312dc2027c3a5d06084f350dfdb468ad336a5

SHA512
f4f9e87b4ce0adf10af5fa2413d06c089dc06c7f89bfb2798e6006861809b68884b0c2a0972e19cc4b99d7805247d0df15f38812df7afa7772b03df384f4dc57

Download Submit
\??\c:\program files (x86)\tvbplayer\135.jpg

Filesize
10.8MB

MD5
9394604dfb96d03ca5c2a0245eea92c8

SHA1
75376c4c6f078e088e881fcb2511e62f19168449

SHA256
f69512fdfe94c63ee6364e7f7d7daeb09b81f61bfd706f33787af3e1b5b5e0ba

SHA512
d063ee31f965609a2cee8b81decb8fe851fe170ecd2d159065b902fc1ef9327046dd2651ec41d50f1e80db8e56ce53ee872a3aeaeccfe30e050d0ff254536dc6

Download Submit
\Program Files (x86)\TvbPlayer\135.jpg

Filesize
10.8MB

MD5
9394604dfb96d03ca5c2a0245eea92c8

SHA1
75376c4c6f078e088e881fcb2511e62f19168449

SHA256
f69512fdfe94c63ee6364e7f7d7daeb09b81f61bfd706f33787af3e1b5b5e0ba

SHA512
d063ee31f965609a2cee8b81decb8fe851fe170ecd2d159065b902fc1ef9327046dd2651ec41d50f1e80db8e56ce53ee872a3aeaeccfe30e050d0ff254536dc6

Download Submit
\Windows\SysWOW64\Jinqrk.exe

Filesize
145KB

MD5
97e4261c496accf6eecb9d1f37fb1074

SHA1
951c902816a0ca83769dfdbd34e898d6bcb4af7d

SHA256
f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

SHA512
1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

Download Submit
\Windows\SysWOW64\Jinqrk.exe

Filesize
145KB

MD5
97e4261c496accf6eecb9d1f37fb1074

SHA1
951c902816a0ca83769dfdbd34e898d6bcb4af7d

SHA256
f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

SHA512
1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

Download Submit
\Windows\SysWOW64\Jinqrk.exe

Filesize
145KB

MD5
97e4261c496accf6eecb9d1f37fb1074

SHA1
951c902816a0ca83769dfdbd34e898d6bcb4af7d

SHA256
f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

SHA512
1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

Download Submit
\Windows\SysWOW64\Jinqrk.exe

Filesize
145KB

MD5
97e4261c496accf6eecb9d1f37fb1074

SHA1
951c902816a0ca83769dfdbd34e898d6bcb4af7d

SHA256
f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

SHA512
1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

Download Submit
memory/1540-56-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download