gh0strat | fcafdb31ef7cc7b76a86db6e0f49971058339baf41904e6f3cfa14f47f5da1cd

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4c6a749789a8812561ee6d5ad511e430.exe
Size

964KB
MD5

4c6a749789a8812561ee6d5ad511e430
SHA1

d74784915583eabbc6c1118979da92f17b73e6a9
SHA256

fcafdb31ef7cc7b76a86db6e0f49971058339baf41904e6f3cfa14f47f5da1cd
SHA512

8e8a10f880307917436771166e450f6d8ffd3aba284bc0c0ed509c882b45957715640ef5d043d46a29f51ef476a6ccfc9ea31765284338e3de03bef75ed0a6ea
SSDEEP

24576:3LWwz5awaq/+OrLC7np+ysI/bivSFDt8MfNGHEml6kb:3L95atOJrLC7p+ybiq1t8MfNG5db

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2816-9640-0x0000000000400000-0x0000000000537000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
620	Kigkmkk.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\Q:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\X:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\Y:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\E:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\G:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\I:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\J:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\L:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\S:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\T:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\V:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\Z:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\K:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\N:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\P:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\W:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\B:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\M:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\O:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\R:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File opened (read-only)	\??\U:	NEAS.4c6a749789a8812561ee6d5ad511e430.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Kigkmkk.exe	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
File created	C:\Program Files (x86)\Kigkmkk.exe	NEAS.4c6a749789a8812561ee6d5ad511e430.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	NEAS.4c6a749789a8812561ee6d5ad511e430.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2816	NEAS.4c6a749789a8812561ee6d5ad511e430.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.4c6a749789a8812561ee6d5ad511e430.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4c6a749789a8812561ee6d5ad511e430.exe"
1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2816

C:\Program Files (x86)\Kigkmkk.exe
"C:\Program Files (x86)\Kigkmkk.exe"
1⤵
- Executes dropped EXE
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kigkmkk.exe

Filesize
964KB

MD5
4c6a749789a8812561ee6d5ad511e430

SHA1
d74784915583eabbc6c1118979da92f17b73e6a9

SHA256
fcafdb31ef7cc7b76a86db6e0f49971058339baf41904e6f3cfa14f47f5da1cd

SHA512
8e8a10f880307917436771166e450f6d8ffd3aba284bc0c0ed509c882b45957715640ef5d043d46a29f51ef476a6ccfc9ea31765284338e3de03bef75ed0a6ea

Download Submit
memory/620-8702-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/620-15084-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/620-11251-0x0000000002140000-0x00000000022C1000-memory.dmp

Filesize
1.5MB

Download
memory/2816-848-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-852-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-822-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-820-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-818-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-826-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-824-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-828-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-832-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-854-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-834-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-840-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-838-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-836-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-842-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-846-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-844-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-816-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-850-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-830-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-856-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-858-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-860-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-862-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-864-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-866-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-868-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-870-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-872-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-2547-0x0000000001F30000-0x00000000020B1000-memory.dmp

Filesize
1.5MB

Download
memory/2816-8686-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-8693-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-811-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-812-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-9640-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-814-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/2816-1-0x0000000075D50000-0x0000000075D97000-memory.dmp

Filesize
284KB

Download