gh0strat | 0e7805ea5b6540e59b5ccbcec8429d53745500a73c0df9794b14f0a2b993413d

Analysis

max time kernel
117s
max time network
143s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

招聘8000~10000急招！.exe
Size

3.4MB
MD5

15657565db569d1aa879e194dc00de93
SHA1

9014d598e0e2d6567bb33e8cd23b9cdcf520ed35
SHA256

689a0efe9b555bb7af55921445265076008b6f5e400587b2d40268220bb6cef6
SHA512

872f034932b16aa3e8d35ef383906da497927f7f873e6c0c6a7bb6404275ad685bacb931f406a149722d979794e7249d9d860cc2c09143fde654a4b5d8b3374f
SSDEEP

49152:qsmmparkOxyvT+yzUJ6Ya+AvTLaa6n57WA8J5:3kxtx/aR65T8J5

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2440-68-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/2440-69-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/2440-73-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2440	ClientDaemon.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-64-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2440-68-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2440-69-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2440-73-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\ClientDaemon.exe	招聘8000~10000急招！.exe
File created	\??\c:\windows\nw_elf.dll	招聘8000~10000急招！.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2440	ClientDaemon.exe
2468	招聘8000~10000急招！.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2440	2468	招聘8000~10000急招！.exe	28
PID 2468 wrote to memory of 2440	2468	招聘8000~10000急招！.exe	28
PID 2468 wrote to memory of 2440	2468	招聘8000~10000急招！.exe	28
PID 2468 wrote to memory of 2440	2468	招聘8000~10000急招！.exe	28

C:\Users\Admin\AppData\Local\Temp\招聘8000~10000急招！.exe
"C:\Users\Admin\AppData\Local\Temp\招聘8000~10000急招！.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468
- C:\windows\ClientDaemon.exe
  C:\windows\ClientDaemon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ClientDaemon.exe

Filesize
1.9MB

MD5
c654f1460f961fa85843230281fc0ab0

SHA1
a0068ba05dd836a0696b392ee1d6ab896c26e1e9

SHA256
10a4cef987f11011694bfb6362fe48c365826f913b172b3586faeb2f4f27ca17

SHA512
f7e122e9bfc4aa5f6c572e92fa685cc2e1b5b778c8bc1cc90f75b896677512a84369c04ebba40cc22cb04d4e76abbd44cc6a7ac2d07747f299f435bf32de5db4

Download Submit
C:\Windows\Temp\cb.txt

Filesize
1KB

MD5
b6faf82e2ce9e134094767b1139c8b5d

SHA1
e01b9fb3e69e30aead7d3feac448958d3acb9e72

SHA256
00cd51ef85bbb0056dc13f0ba573ed00297f032d021c0f84f4196c8f790001e0

SHA512
e0cef85cb4bd9c4a2d12bc960d4f6eb37aa256bcfa7a88544f9df712eb325198bb2f31695900443fb8e080c43dbcd743c42eaa8e3bed91b305cceb7309fd1685

Download Submit
C:\windows\nw_elf.dll

Filesize
8KB

MD5
810563e55316cf3e7a5fa3720d31b6a9

SHA1
dfd445ba9291f79edea6096b274af37b6f8d9cc0

SHA256
3081ed3c3c6b198dd1229206f183f25951d403e5231df8804cbf1a4cc2f0601c

SHA512
a56d9dac2b39f3f002ae57eba3fe256d165e72796d92a7164b36cf7b5a2b2f8e7198abf51847ae6266f1d541534ee068d01808eefe59008438f03b576aa1f2f7

Download Submit
memory/2440-62-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2440-63-0x00000000003D0000-0x000000000041E000-memory.dmp

Filesize
312KB

Download
memory/2440-64-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2440-68-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2440-69-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2440-72-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2440-73-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download