gh0strat | 46f3efb05e06e17600eea65c49c8700d5eb74ebb8611aa69981c413eb2e0c69a

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2023, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qpr.exe
Size

30KB
MD5

1908c7682637a1cb64030ff57ad27efd
SHA1

92146ad99ccdd943fd995c6a904ec523565a8653
SHA256

46f3efb05e06e17600eea65c49c8700d5eb74ebb8611aa69981c413eb2e0c69a
SHA512

f5ee6d7c14ac5ddbd37adcf9e7a1a1c85181513d8401ef87bbd4903d6b799a6b8f9d0b757904d6cc1e8e6aefebceee7c8c3dad089a4b7c90604380808df2e989
SSDEEP

768:DOu2N1RVWBQOAnbAYOwWxf3mOIW/b2Jbex787GR:alvEOI5QWiJbe5nR

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

154.39.248.196

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/2804-134-0x00000000038F0000-0x00000000039F0000-memory.dmp	family_gh0strat
behavioral2/memory/2804-135-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral2/memory/2804-139-0x00000000038F0000-0x00000000039F0000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	qpr.exe
File opened (read-only)	\??\P:	qpr.exe
File opened (read-only)	\??\Q:	qpr.exe
File opened (read-only)	\??\Z:	qpr.exe
File opened (read-only)	\??\J:	qpr.exe
File opened (read-only)	\??\L:	qpr.exe
File opened (read-only)	\??\M:	qpr.exe
File opened (read-only)	\??\R:	qpr.exe
File opened (read-only)	\??\S:	qpr.exe
File opened (read-only)	\??\T:	qpr.exe
File opened (read-only)	\??\Y:	qpr.exe
File opened (read-only)	\??\W:	qpr.exe
File opened (read-only)	\??\E:	qpr.exe
File opened (read-only)	\??\G:	qpr.exe
File opened (read-only)	\??\H:	qpr.exe
File opened (read-only)	\??\K:	qpr.exe
File opened (read-only)	\??\O:	qpr.exe
File opened (read-only)	\??\U:	qpr.exe
File opened (read-only)	\??\V:	qpr.exe
File opened (read-only)	\??\X:	qpr.exe
File opened (read-only)	\??\I:	qpr.exe
File opened (read-only)	\??\N:	qpr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qpr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qpr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	qpr.exe
2804	qpr.exe

C:\Users\Admin\AppData\Local\Temp\qpr.exe
"C:\Users\Admin\AppData\Local\Temp\qpr.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2804-134-0x00000000038F0000-0x00000000039F0000-memory.dmp

Filesize
1024KB

Download
memory/2804-135-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2804-139-0x00000000038F0000-0x00000000039F0000-memory.dmp

Filesize
1024KB

Download