gh0strat | caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a

Analysis

max time kernel
137s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/04/2023, 16:19

Target

caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe
Size

310KB
MD5

65deedccc1dcbe6b1cbc074c3855e0ba
SHA1

0d5051e9329194a96f8836082f6e308b3520a495
SHA256

caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a
SHA512

c1ad0acaa2ed39ee15eb63a0c0d198862d7fc6135858c4e69ca6f901a21c42dbeb03e4429f19d3e4fd977ddd92033b8b7edff99be13c8d5d9df64f7d7695444d
SSDEEP

3072:VNWlkU/r+37BO8ynhvd01vYJPp9Hfj/NTNW95xpIImWKyB:V4l9+3QZd0QPp9HfZu5LIImWv

Score

10^/10

gh0strat rat upx

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/1704-64-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/1704-63-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/836-75-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/836-80-0x0000000002C40000-0x0000000002D8C000-memory.dmp	family_gh0strat
behavioral1/memory/836-79-0x0000000002C40000-0x0000000002D8C000-memory.dmp	family_gh0strat
behavioral1/memory/836-82-0x0000000002C40000-0x0000000002D8C000-memory.dmp	family_gh0strat
behavioral1/memory/836-86-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/836-84-0x0000000002C40000-0x0000000002D8C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	836	cmd.exe
8	836	cmd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1704-60-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/1704-64-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/1704-63-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/836-75-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/836-76-0x0000000002C40000-0x0000000002D8C000-memory.dmp	upx
behavioral1/memory/836-80-0x0000000002C40000-0x0000000002D8C000-memory.dmp	upx
behavioral1/memory/836-79-0x0000000002C40000-0x0000000002D8C000-memory.dmp	upx
behavioral1/memory/836-82-0x0000000002C40000-0x0000000002D8C000-memory.dmp	upx
behavioral1/memory/836-86-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/836-84-0x0000000002C40000-0x0000000002D8C000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 29 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 836	1704	caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe	30
PID 1704 wrote to memory of 836	1704	caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe	30
PID 1704 wrote to memory of 836	1704	caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe	30
PID 1704 wrote to memory of 836	1704	caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe	30
PID 1704 wrote to memory of 836	1704	caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe	30

C:\Users\Admin\AppData\Local\Temp\caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe
"C:\Users\Admin\AppData\Local\Temp\caece8f8ccb77b8a3e2ee14770e2c4b734a8573b8a0dc676be0782e27389182a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe -Puppet
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:836

memory/836-79-0x0000000002C40000-0x0000000002D8C000-memory.dmp

Filesize
1.3MB

Download
memory/836-65-0x0000000000200000-0x000000000024E000-memory.dmp

Filesize
312KB

Download
memory/836-75-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/836-76-0x0000000002C40000-0x0000000002D8C000-memory.dmp

Filesize
1.3MB

Download
memory/836-80-0x0000000002C40000-0x0000000002D8C000-memory.dmp

Filesize
1.3MB

Download
memory/836-82-0x0000000002C40000-0x0000000002D8C000-memory.dmp

Filesize
1.3MB

Download
memory/836-86-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/836-84-0x0000000002C40000-0x0000000002D8C000-memory.dmp

Filesize
1.3MB

Download
memory/1704-59-0x00000000007E0000-0x000000000082E000-memory.dmp

Filesize
312KB

Download
memory/1704-60-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1704-64-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1704-63-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1704-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download