gh0strat | 90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c

Analysis

max time kernel
153s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-10-2023 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
Size

11.8MB
MD5

84d1b8f9debb4a0e336a8a4cb444eb33
SHA1

bbcf359df23a0cc764672c759226184bc54fd30a
SHA256

90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c
SHA512

453dba43165c0dd0269edfa04a6251791eb2a5149f85880b2b61138cd1c49d24654461f1d161d8209f34b074480d918cbf5730be44f7b345425daa8c08e88651
SSDEEP

196608:ubwAAhq4tUvEa4kqGher9AEXvUxhdJfpPw4QD+zuBRfG1XqrTIDK:ubnCfWvXqTJN8xBF1ZK4q

Score

10^/10

gh0strat rat upx vmprotect

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1748-107-0x0000000000400000-0x000000000052D000-memory.dmp	family_gh0strat
behavioral1/memory/1668-121-0x0000000000400000-0x000000000052D000-memory.dmp	family_gh0strat
behavioral1/memory/1748-131-0x0000000000400000-0x000000000052D000-memory.dmp	family_gh0strat
behavioral1/memory/1668-136-0x0000000000400000-0x000000000052D000-memory.dmp	family_gh0strat
behavioral1/memory/2248-148-0x0000000000400000-0x000000000052D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
1748	1.exe
1668	Dtldt.exe
2248	Dtldt.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2088-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/files/0x00040000000130e5-99.dat	upx
behavioral1/memory/2088-105-0x0000000004760000-0x000000000488D000-memory.dmp	upx
behavioral1/files/0x00040000000130e5-104.dat	upx
behavioral1/files/0x00040000000130e5-101.dat	upx
behavioral1/memory/1748-107-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral1/files/0x00040000000130e5-106.dat	upx
behavioral1/files/0x00040000000130e5-117.dat	upx
behavioral1/files/0x0034000000015ca0-120.dat	upx
behavioral1/memory/1668-121-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral1/memory/1748-131-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral1/files/0x0034000000015ca0-132.dat	upx
behavioral1/files/0x0034000000015ca0-133.dat	upx
behavioral1/memory/1668-136-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral1/memory/2248-148-0x0000000000400000-0x000000000052D000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2088-4-0x0000000000400000-0x0000000001B1E000-memory.dmp	vmprotect
behavioral1/memory/2088-9-0x0000000000400000-0x0000000001B1E000-memory.dmp	vmprotect
behavioral1/memory/2088-54-0x0000000000400000-0x0000000001B1E000-memory.dmp	vmprotect

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Dtldt.exe	1.exe
File created	C:\Windows\Dtldt.exe	1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1748	2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe	28
PID 2088 wrote to memory of 1748	2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe	28
PID 2088 wrote to memory of 1748	2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe	28
PID 2088 wrote to memory of 1748	2088	90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe	28
PID 1668 wrote to memory of 2248	1668	Dtldt.exe	30
PID 1668 wrote to memory of 2248	1668	Dtldt.exe	30
PID 1668 wrote to memory of 2248	1668	Dtldt.exe	30
PID 1668 wrote to memory of 2248	1668	Dtldt.exe	30

C:\Users\Admin\AppData\Local\Temp\90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe
"C:\Users\Admin\AppData\Local\Temp\90b1ff266e372c682edb1d335b339fdd647c438d21bda5e3d2739a21aa8aaa5c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\1.exe
  C:\Users\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

C:\Windows\Dtldt.exe
C:\Windows\Dtldt.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\Dtldt.exe
  C:\Windows\Dtldt.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\1.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
C:\Users\1.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
C:\Users\1.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
C:\Windows\Dtldt.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
C:\Windows\Dtldt.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
C:\Windows\Dtldt.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
\Users\1.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
\Users\1.exe

Filesize
494KB

MD5
6a487d4ff5ab55efb99243fafc9f7e62

SHA1
04c43c8f01e201298571a8060bf598880a865393

SHA256
b3e7d4b6f1c4a973e00d80a3426cd511d7159783c6eca8cfafd636e162870aa0

SHA512
0eb8763b432ca33d5f31d970946228980d2a93bcc23f01a0e73c5412cb1aa39a8f2f19d74e007e4042b5eb16e614556596606427ef4053123344bd2ae8d00bbf

Download Submit
memory/1668-136-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1668-121-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1748-131-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1748-107-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2088-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-29-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2088-31-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2088-32-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2088-34-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2088-36-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2088-37-0x0000000077130000-0x0000000077131000-memory.dmp

Filesize
4KB

Download
memory/2088-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-54-0x0000000000400000-0x0000000001B1E000-memory.dmp

Filesize
23.1MB

Download
memory/2088-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2088-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-26-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2088-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2088-24-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2088-105-0x0000000004760000-0x000000000488D000-memory.dmp

Filesize
1.2MB

Download
memory/2088-21-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2088-19-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2088-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2088-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2088-108-0x0000000004760000-0x000000000488D000-memory.dmp

Filesize
1.2MB

Download
memory/2088-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2088-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2088-9-0x0000000000400000-0x0000000001B1E000-memory.dmp

Filesize
23.1MB

Download
memory/2088-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2088-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2088-4-0x0000000000400000-0x0000000001B1E000-memory.dmp

Filesize
23.1MB

Download
memory/2088-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2088-145-0x0000000004760000-0x000000000488D000-memory.dmp

Filesize
1.2MB

Download
memory/2088-146-0x0000000004760000-0x000000000488D000-memory.dmp

Filesize
1.2MB

Download
memory/2248-148-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download