gh0strat | e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
Size

988KB
MD5

76acad3969c13508bd16dcdfde051f87
SHA1

97b8591d89bb86d3c798f7a74c7f9b26d4f306c2
SHA256

e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2
SHA512

77b114f8d2aacb1e2a533e003613904914863960e0fd4fb911c228a816d32f5b52e4ee688472771b53cab42e42ff083a0b5da97aed5e266b9e0236006efe456a
SSDEEP

24576:kYQ4o1ARmENR/2QDWSRpbhuCSAIgEXY49HYRnOBtcJtXSxQK4:s4ks92QDNuvnYG4dOzIXMT4

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2468-10959-0x0000000000400000-0x0000000000513000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2116	Jbrja.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Jbrja.exe	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
File created	C:\Windows\Jbrja.exe	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe

C:\Users\Admin\AppData\Local\Temp\e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe
"C:\Users\Admin\AppData\Local\Temp\e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\Jbrja.exe
C:\\Windows\\Jbrja.exe -auto
1⤵
- Executes dropped EXE
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Jbrja.exe

Filesize
988KB

MD5
76acad3969c13508bd16dcdfde051f87

SHA1
97b8591d89bb86d3c798f7a74c7f9b26d4f306c2

SHA256
e22d088079f0525a4135686f20137d47186adca7bac37ab51e4d7ea66ce2c2e2

SHA512
77b114f8d2aacb1e2a533e003613904914863960e0fd4fb911c228a816d32f5b52e4ee688472771b53cab42e42ff083a0b5da97aed5e266b9e0236006efe456a

Download Submit
memory/2116-8753-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2116-15682-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2116-11305-0x0000000000C30000-0x0000000000DB1000-memory.dmp

Filesize
1.5MB

Download
memory/2116-11303-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/2468-903-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-909-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-875-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-873-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-877-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-879-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-885-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-883-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-881-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-887-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-889-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-891-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-893-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-895-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-897-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-899-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-901-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-53-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2468-905-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-869-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-907-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-913-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-911-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-915-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-919-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-917-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-925-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-923-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-921-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-2600-0x0000000001D40000-0x0000000001E40000-memory.dmp

Filesize
1024KB

Download
memory/2468-2601-0x0000000001F60000-0x00000000020E1000-memory.dmp

Filesize
1.5MB

Download
memory/2468-8740-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-8745-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2468-871-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-865-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-10959-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2468-867-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-864-0x0000000002210000-0x0000000002321000-memory.dmp

Filesize
1.1MB

Download
memory/2468-54-0x0000000076210000-0x0000000076257000-memory.dmp

Filesize
284KB

Download