gh0strat | 37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c

Analysis

max time kernel
117s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe
Size

3.1MB
MD5

cbf303739418078a02fa834827205dcc
SHA1

4333aaacaf1e84385627f8fb57036f9dad556b5b
SHA256

37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c
SHA512

f809696588b116a39510b349e4002250e7071f05f507006f42b57335d07408528542d3b0ef4c648787d6a0f67c255d0dfc178f7223a9e9ad9d233de1e42b4c0f
SSDEEP

98304:KRx0mbRXa2XUtOBIYuFREMsmEEFCcJuzsEFhrKrU6mehNaB0ItvZz+pTWJ7zw:XmbRXHeVEW3MrKrEYIJZz+pTWJ7zw

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/3624-172-0x0000000002A30000-0x0000000002AAB000-memory.dmp	family_gh0strat
behavioral2/memory/3624-189-0x0000000002790000-0x0000000002826000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
3624	QNApp.exe

Loads dropped DLL 4 IoCs

pid	Process
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	QNApp.exe
File opened (read-only)	\??\X:	QNApp.exe
File opened (read-only)	\??\G:	QNApp.exe
File opened (read-only)	\??\K:	QNApp.exe
File opened (read-only)	\??\N:	QNApp.exe
File opened (read-only)	\??\Z:	QNApp.exe
File opened (read-only)	\??\E:	QNApp.exe
File opened (read-only)	\??\H:	QNApp.exe
File opened (read-only)	\??\L:	QNApp.exe
File opened (read-only)	\??\M:	QNApp.exe
File opened (read-only)	\??\P:	QNApp.exe
File opened (read-only)	\??\Q:	QNApp.exe
File opened (read-only)	\??\S:	QNApp.exe
File opened (read-only)	\??\T:	QNApp.exe
File opened (read-only)	\??\B:	QNApp.exe
File opened (read-only)	\??\I:	QNApp.exe
File opened (read-only)	\??\J:	QNApp.exe
File opened (read-only)	\??\U:	QNApp.exe
File opened (read-only)	\??\Y:	QNApp.exe
File opened (read-only)	\??\O:	QNApp.exe
File opened (read-only)	\??\V:	QNApp.exe
File opened (read-only)	\??\W:	QNApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe
3624	QNApp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3940	37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe
3940	37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 3624	3940	37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe	83
PID 3940 wrote to memory of 3624	3940	37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe	83
PID 3940 wrote to memory of 3624	3940	37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe	83

C:\Users\Admin\AppData\Local\Temp\37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe
"C:\Users\Admin\AppData\Local\Temp\37b2da507342c6928564cecf9c493b6b44c32b144a66f3a3fea3d52b79ba369c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Public\qnbin\QNApp.exe
  "C:\Users\Public\qnbin\QNApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\qnbin\QNApp.dat

Filesize
61B

MD5
8dec4d378ec028418d9ce7a87984a5ad

SHA1
03ed588a71a64f892a6e9396c7e475af572d2db8

SHA256
3d14cb45366656bc30a8ba3dba10f06cdcc9a9fbf21a0e6593168a75a7a5a9f4

SHA512
040f48a72e28dc40992bf01e47e43b540d156cd5667b58833929aed716e4127ec60e45954170c9573484c5d8ab3ce74d92b2f3953ea8f1d65acb15287a6b9324

Download Submit
C:\Users\Public\qnbin\QNApp.exe

Filesize
1.6MB

MD5
4c327001f7a898ac79a555c6ea418b50

SHA1
a24eabe2c5e3b332eb2de94edeacf20764675512

SHA256
e6d788a169498166d31b2dde857f4806ffe6dc4e78c2b1e4b9bdd92b145c38f8

SHA512
00299d4ff0c198223004ad366cad2a35d50ba6f502dd39bbafb27879bb0dd58c55253a81ed24f8ff65a2736cb7713749165beb739723380585f850d7659e512e

Download Submit
C:\Users\Public\qnbin\QNApp.exe

Filesize
1.6MB

MD5
4c327001f7a898ac79a555c6ea418b50

SHA1
a24eabe2c5e3b332eb2de94edeacf20764675512

SHA256
e6d788a169498166d31b2dde857f4806ffe6dc4e78c2b1e4b9bdd92b145c38f8

SHA512
00299d4ff0c198223004ad366cad2a35d50ba6f502dd39bbafb27879bb0dd58c55253a81ed24f8ff65a2736cb7713749165beb739723380585f850d7659e512e

Download Submit
C:\Users\Public\qnbin\QNApp.exe

Filesize
1.6MB

MD5
4c327001f7a898ac79a555c6ea418b50

SHA1
a24eabe2c5e3b332eb2de94edeacf20764675512

SHA256
e6d788a169498166d31b2dde857f4806ffe6dc4e78c2b1e4b9bdd92b145c38f8

SHA512
00299d4ff0c198223004ad366cad2a35d50ba6f502dd39bbafb27879bb0dd58c55253a81ed24f8ff65a2736cb7713749165beb739723380585f850d7659e512e

Download Submit
C:\Users\Public\qnbin\donottrace.txt

Filesize
576KB

MD5
ee2721238688a514261dd12f79f13a7e

SHA1
e25663e81f3edc70da07bea1d97a587c355fd331

SHA256
b92b8140c5ffe31cb9506064e34f76c622f317625836c417ab8185f74ca844c9

SHA512
86df67e82ea34374b12881a5beeb5980ea22cf0415635a3d16ed167105b98dfb69538640b23ecbdbd11a3ac9f1fcb263608aa58f22333869923bd16b676e491e

Download Submit
C:\Users\Public\qnbin\natudp.dll

Filesize
226KB

MD5
77bed6cf38e9ea5c19aaebed191a8530

SHA1
ace6ad9fbf091ee8b1c737c5af3f8d4bdf1dbc81

SHA256
7277b07dc4b5dcea614addf3c0f8405a4d92504487a7935cff17dbe4e93f5ff7

SHA512
8df0353c6384750a5f45d9a3d669994834222d8544bccf0bf21ae54cbceb8f59ae5d0178d6024b4f8420af7329368682126e0180cc1f0cc1aebdfb39fa36ad9d

Download Submit
C:\Users\Public\qnbin\natudp.dll

Filesize
226KB

MD5
77bed6cf38e9ea5c19aaebed191a8530

SHA1
ace6ad9fbf091ee8b1c737c5af3f8d4bdf1dbc81

SHA256
7277b07dc4b5dcea614addf3c0f8405a4d92504487a7935cff17dbe4e93f5ff7

SHA512
8df0353c6384750a5f45d9a3d669994834222d8544bccf0bf21ae54cbceb8f59ae5d0178d6024b4f8420af7329368682126e0180cc1f0cc1aebdfb39fa36ad9d

Download Submit
C:\Users\Public\qnbin\natudp.dll

Filesize
226KB

MD5
77bed6cf38e9ea5c19aaebed191a8530

SHA1
ace6ad9fbf091ee8b1c737c5af3f8d4bdf1dbc81

SHA256
7277b07dc4b5dcea614addf3c0f8405a4d92504487a7935cff17dbe4e93f5ff7

SHA512
8df0353c6384750a5f45d9a3d669994834222d8544bccf0bf21ae54cbceb8f59ae5d0178d6024b4f8420af7329368682126e0180cc1f0cc1aebdfb39fa36ad9d

Download Submit
C:\Users\Public\qnbin\p2pengine.dll

Filesize
1.7MB

MD5
ee4ab600771c9548fc28991306a8ca03

SHA1
65f58345373010c212402e5dd5ca7054b0a1fb6b

SHA256
98c70ec3bf2b64bb35df05a73171eea3155c6c406bf710d3e5650230ab553ac0

SHA512
241fd83572809aa1865c477955f44a9fd464050251fe9e4a219d0ff0988ef35873acbb17fe5747aa74f78df788055e13b18427ae9e8343898dec8bf0c00514bb

Download Submit
C:\Users\Public\qnbin\p2pengine.dll

Filesize
1.7MB

MD5
ee4ab600771c9548fc28991306a8ca03

SHA1
65f58345373010c212402e5dd5ca7054b0a1fb6b

SHA256
98c70ec3bf2b64bb35df05a73171eea3155c6c406bf710d3e5650230ab553ac0

SHA512
241fd83572809aa1865c477955f44a9fd464050251fe9e4a219d0ff0988ef35873acbb17fe5747aa74f78df788055e13b18427ae9e8343898dec8bf0c00514bb

Download Submit
C:\Users\Public\qnbin\p2pengineOrg.DLL

Filesize
534KB

MD5
70a865af2fe233a3343c1b2744d537dd

SHA1
98191d4b28aa5f548486daf8ad3adbe369d4a986

SHA256
354a6edf126384d9f67d4727f851df13c711a40c8d1c3606b74bfb0176873d2c

SHA512
1614cc1b9df9bcccaf0cf53b42ec79f6c4ea34284ea1f12025590d725894b5af3c308173a9bbe7b31cd5bdacd398a7bd0ab0c092027ce68a79a7bf86c3c91eb9

Download Submit
C:\Users\Public\qnbin\p2pengineOrg.dll

Filesize
534KB

MD5
70a865af2fe233a3343c1b2744d537dd

SHA1
98191d4b28aa5f548486daf8ad3adbe369d4a986

SHA256
354a6edf126384d9f67d4727f851df13c711a40c8d1c3606b74bfb0176873d2c

SHA512
1614cc1b9df9bcccaf0cf53b42ec79f6c4ea34284ea1f12025590d725894b5af3c308173a9bbe7b31cd5bdacd398a7bd0ab0c092027ce68a79a7bf86c3c91eb9

Download Submit
C:\Users\Public\qnbin\task.dat

Filesize
76B

MD5
9e19144577ea0d02701a16d365667f98

SHA1
8822fa1081a8ffe5ed4308fb63b01c4db4712b8f

SHA256
b4999976fc9d252de099e8a88965e3d2798cdf47fd21a2f87c54dfa8e2db2762

SHA512
be25721f87b594a7d2045663de9d9ce94fce79c8d20523d281d0fc6571b845d435487c11eb35e3ebd22d53c3d1525606f03254b7594a74e60c6ad4eb3ac9253b

Download Submit
C:\Users\Public\qnbin\task.dat

Filesize
76B

MD5
9e19144577ea0d02701a16d365667f98

SHA1
8822fa1081a8ffe5ed4308fb63b01c4db4712b8f

SHA256
b4999976fc9d252de099e8a88965e3d2798cdf47fd21a2f87c54dfa8e2db2762

SHA512
be25721f87b594a7d2045663de9d9ce94fce79c8d20523d281d0fc6571b845d435487c11eb35e3ebd22d53c3d1525606f03254b7594a74e60c6ad4eb3ac9253b

Download Submit
memory/3624-162-0x00000000024A0000-0x00000000024D8000-memory.dmp

Filesize
224KB

Download
memory/3624-166-0x0000000002790000-0x0000000002826000-memory.dmp

Filesize
600KB

Download
memory/3624-172-0x0000000002A30000-0x0000000002AAB000-memory.dmp

Filesize
492KB

Download
memory/3624-165-0x0000000002790000-0x0000000002826000-memory.dmp

Filesize
600KB

Download
memory/3624-189-0x0000000002790000-0x0000000002826000-memory.dmp

Filesize
600KB

Download