gh0strat | bff74dc434e208598c2ba484341c6275eaeaa87992043f936e8915bde97b94a2

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/06/2023, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

188KB
MD5

1f3eff47818b6c31bf220154c0fdee12
SHA1

26772f42ff36dc47e4aed1f7bbb4b0e331978410
SHA256

bff74dc434e208598c2ba484341c6275eaeaa87992043f936e8915bde97b94a2
SHA512

8d49c5a8e8885a359732bfef5805f57e981aa16a624756f0c37287ef2a5ecd7b9932633c217e9f3bdb1d317317a6118cfced97afe268a7f72272f08726c5ac12
SSDEEP

3072:IWTDNVSbckR+z7uHVuoHsvmhtfwrHY52Lr0l7STUyg5f0oDAAt02un3:nvSbckA2VuisvmPOzptg5BA5p3

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1504-55-0x0000000010000000-0x000000001001E000-memory.dmp	family_gh0strat
behavioral1/memory/1504-54-0x0000000006A70000-0x0000000006ABE000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tmp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
796	vlc.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe
1504	tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
796	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1976	AUDIODG.EXE
Token: 33	1976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1976	AUDIODG.EXE
Token: 33	796	vlc.exe
Token: SeIncBasePriorityPrivilege	796	vlc.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe
796	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1504	tmp.exe
796	vlc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 796	1504	tmp.exe	29
PID 1504 wrote to memory of 796	1504	tmp.exe	29
PID 1504 wrote to memory of 796	1504	tmp.exe	29
PID 1504 wrote to memory of 796	1504	tmp.exe	29

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file c:\IMG_0050.MOV
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\IMG_0050.MOV

Filesize
2.4MB

MD5
65b738f038962f076c94dee1f8b7db92

SHA1
41196bd05f89582c812e551dcde3ba6221e99c63

SHA256
628790c3dcd300d5934193a09323986a585bf60f8b8f9561812ce1977c6ce12c

SHA512
3bb978b6030c5d2c1d8303696cfbdb0c70230082876c804cd996a75faabb4cb8c58eeb7ab186df9bae8f396d5f59d45a4b33614c6b74f62827df082e9d5df5d3

Download Submit
memory/796-72-0x000000013FF00000-0x000000013FFF8000-memory.dmp

Filesize
992KB

Download
memory/796-73-0x000007FEFB260000-0x000007FEFB294000-memory.dmp

Filesize
208KB

Download
memory/796-74-0x000007FEF66C0000-0x000007FEF6974000-memory.dmp

Filesize
2.7MB

Download
memory/796-75-0x000007FEFB920000-0x000007FEFB938000-memory.dmp

Filesize
96KB

Download
memory/796-77-0x000007FEFB220000-0x000007FEFB231000-memory.dmp

Filesize
68KB

Download
memory/796-78-0x000007FEFB200000-0x000007FEFB217000-memory.dmp

Filesize
92KB

Download
memory/796-76-0x000007FEFB240000-0x000007FEFB257000-memory.dmp

Filesize
92KB

Download
memory/796-79-0x000007FEFB020000-0x000007FEFB031000-memory.dmp

Filesize
68KB

Download
memory/796-81-0x000007FEFAFE0000-0x000007FEFAFF1000-memory.dmp

Filesize
68KB

Download
memory/796-80-0x000007FEFB000000-0x000007FEFB01D000-memory.dmp

Filesize
116KB

Download
memory/796-82-0x000007FEF5570000-0x000007FEF661B000-memory.dmp

Filesize
16.7MB

Download
memory/796-83-0x000007FEF5370000-0x000007FEF5570000-memory.dmp

Filesize
2.0MB

Download
memory/796-84-0x000007FEF6C20000-0x000007FEF6C5F000-memory.dmp

Filesize
252KB

Download
memory/796-85-0x000007FEF6BF0000-0x000007FEF6C11000-memory.dmp

Filesize
132KB

Download
memory/796-87-0x000007FEF6BB0000-0x000007FEF6BC1000-memory.dmp

Filesize
68KB

Download
memory/796-89-0x000007FEF6B70000-0x000007FEF6B81000-memory.dmp

Filesize
68KB

Download
memory/796-91-0x000007FEF6B30000-0x000007FEF6B41000-memory.dmp

Filesize
68KB

Download
memory/796-92-0x000007FEF6B10000-0x000007FEF6B28000-memory.dmp

Filesize
96KB

Download
memory/796-94-0x000007FEF5300000-0x000007FEF5367000-memory.dmp

Filesize
412KB

Download
memory/796-93-0x000007FEF6AE0000-0x000007FEF6B10000-memory.dmp

Filesize
192KB

Download
memory/796-95-0x000007FEF5290000-0x000007FEF52FF000-memory.dmp

Filesize
444KB

Download
memory/796-96-0x000007FEF6AC0000-0x000007FEF6AD1000-memory.dmp

Filesize
68KB

Download
memory/796-97-0x000007FEF5230000-0x000007FEF5286000-memory.dmp

Filesize
344KB

Download
memory/796-90-0x000007FEF6B50000-0x000007FEF6B6B000-memory.dmp

Filesize
108KB

Download
memory/796-88-0x000007FEF6B90000-0x000007FEF6BA1000-memory.dmp

Filesize
68KB

Download
memory/796-86-0x000007FEF6BD0000-0x000007FEF6BE8000-memory.dmp

Filesize
96KB

Download
memory/796-98-0x000007FEF50B0000-0x000007FEF5228000-memory.dmp

Filesize
1.5MB

Download
memory/796-99-0x000007FEF6AA0000-0x000007FEF6AB7000-memory.dmp

Filesize
92KB

Download
memory/796-100-0x000007FEF4F40000-0x000007FEF50B0000-memory.dmp

Filesize
1.4MB

Download
memory/796-101-0x000007FEF66A0000-0x000007FEF66B2000-memory.dmp

Filesize
72KB

Download
memory/796-102-0x000007FEF4EF0000-0x000007FEF4F32000-memory.dmp

Filesize
264KB

Download
memory/796-103-0x000007FEF4EA0000-0x000007FEF4EEC000-memory.dmp

Filesize
304KB

Download
memory/796-104-0x000007FEF4D30000-0x000007FEF4E9B000-memory.dmp

Filesize
1.4MB

Download
memory/796-105-0x000007FEF4CD0000-0x000007FEF4D27000-memory.dmp

Filesize
348KB

Download
memory/796-106-0x000007FEF4A80000-0x000007FEF4CCB000-memory.dmp

Filesize
2.3MB

Download
memory/796-107-0x000007FEF32D0000-0x000007FEF4A80000-memory.dmp

Filesize
23.7MB

Download
memory/796-108-0x000007FEFAFD0000-0x000007FEFAFE0000-memory.dmp

Filesize
64KB

Download
memory/796-109-0x000007FEF32A0000-0x000007FEF32CF000-memory.dmp

Filesize
188KB

Download
memory/796-111-0x000007FEF3240000-0x000007FEF3256000-memory.dmp

Filesize
88KB

Download
memory/796-110-0x000007FEF6680000-0x000007FEF6691000-memory.dmp

Filesize
68KB

Download
memory/796-112-0x000007FEF3170000-0x000007FEF3235000-memory.dmp

Filesize
788KB

Download
memory/796-113-0x000007FEF30F0000-0x000007FEF3165000-memory.dmp

Filesize
468KB

Download
memory/796-114-0x000007FEF3080000-0x000007FEF30E2000-memory.dmp

Filesize
392KB

Download
memory/796-115-0x000007FEF3010000-0x000007FEF307D000-memory.dmp

Filesize
436KB

Download
memory/796-117-0x000007FEF2FD0000-0x000007FEF2FE4000-memory.dmp

Filesize
80KB

Download
memory/796-118-0x000007FEF2F80000-0x000007FEF2FD0000-memory.dmp

Filesize
320KB

Download
memory/796-119-0x000007FEF2F60000-0x000007FEF2F75000-memory.dmp

Filesize
84KB

Download
memory/796-116-0x000007FEF2FF0000-0x000007FEF3003000-memory.dmp

Filesize
76KB

Download
memory/796-120-0x000007FEF2D40000-0x000007FEF2F5D000-memory.dmp

Filesize
2.1MB

Download
memory/796-122-0x000007FEF2B60000-0x000007FEF2B83000-memory.dmp

Filesize
140KB

Download
memory/796-123-0x000007FEF2B40000-0x000007FEF2B53000-memory.dmp

Filesize
76KB

Download
memory/796-121-0x000007FEF2B90000-0x000007FEF2BA5000-memory.dmp

Filesize
84KB

Download
memory/796-124-0x000007FEF2A40000-0x000007FEF2B34000-memory.dmp

Filesize
976KB

Download
memory/796-125-0x000007FEF2880000-0x000007FEF2891000-memory.dmp

Filesize
68KB

Download
memory/796-126-0x000007FEF2860000-0x000007FEF2872000-memory.dmp

Filesize
72KB

Download
memory/796-127-0x000007FEF2830000-0x000007FEF285A000-memory.dmp

Filesize
168KB

Download
memory/796-128-0x000007FEF26B0000-0x000007FEF282A000-memory.dmp

Filesize
1.5MB

Download
memory/796-129-0x000007FEF2690000-0x000007FEF26A3000-memory.dmp

Filesize
76KB

Download
memory/796-130-0x000007FEF2670000-0x000007FEF268B000-memory.dmp

Filesize
108KB

Download
memory/796-131-0x000007FEF2650000-0x000007FEF2662000-memory.dmp

Filesize
72KB

Download
memory/1504-55-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1504-54-0x0000000006A70000-0x0000000006ABE000-memory.dmp

Filesize
312KB

Download