gh0strat | d3d68d7b09e5f02219129c961513b2ce084d13f0a3bdb9d1c7898fab18426df6

Analysis

max time kernel
119s
max time network
139s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
08-11-2023 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e.exe
Size

3.7MB
MD5

569aaee0d37aaf2cc146f8365fbfee0f
SHA1

abd07815d8c40c711a0a2dba8ed07b8f7c4d6ca7
SHA256

d3d68d7b09e5f02219129c961513b2ce084d13f0a3bdb9d1c7898fab18426df6
SHA512

1e59961fe4f89e014ad740a8df52925d63277be30874b7a46225b533028447dc0168ef3c83861b1174de5a72db9d3b135732860e26dfcd43cc74aef1c1884ea7
SSDEEP

98304:AI8xdgcmkuT93Cvmtud9LS51a+FsffmzSvV5/JbPPMYZAvl:AI8/gcYEVdFfmzSvV5/xUY2N

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2512-37-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/2512-36-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/2512-38-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/2512-42-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral1/memory/2512-44-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

render.exerender.exe

pid process

2512 render.exe
2600 render.exe
Loads dropped DLL 4 IoCs

Processes:

e.exerender.exerender.exe

pid process

2576 e.exe
2512 render.exe
2512 render.exe
2600 render.exe

pid	process
2512	render.exe
2600	render.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2512-33-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2512-37-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2512-36-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2512-38-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2512-42-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/memory/2512-44-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

e.exerender.exe

pid	process
2576	e.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe
2512	render.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e.exe

pid process

2576 e.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e.exerender.exe

description	pid	process	target process
PID 2576 wrote to memory of 2512	2576	e.exe	render.exe
PID 2576 wrote to memory of 2512	2576	e.exe	render.exe
PID 2576 wrote to memory of 2512	2576	e.exe	render.exe
PID 2576 wrote to memory of 2512	2576	e.exe	render.exe
PID 2512 wrote to memory of 2600	2512	render.exe	render.exe
PID 2512 wrote to memory of 2600	2512	render.exe	render.exe
PID 2512 wrote to memory of 2600	2512	render.exe	render.exe
PID 2512 wrote to memory of 2600	2512	render.exe	render.exe

C:\Users\Admin\AppData\Local\Temp\e.exe
"C:\Users\Admin\AppData\Local\Temp\e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\recovery\render.exe
"C:\recovery\render.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512

C:\recovery\render.exe
C:\recovery\render.exe --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=书生ERP --annotation=ver=-devel --handshake-handle=0xb8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\a6.txt

Filesize
1KB

MD5
b88a95ec3224ecf4ebcb53be37a31402

SHA1
72d4e42691713d59d4b698a274b0ac61d17b1e66

SHA256
d64f765ea386b9dea471488c9de23eb6cff908a88c3c72bd7de1a5247dcb8a3b

SHA512
38b0c1622a3d4ea6afeb2ff09067f18ec8a82038d037ca50fe13883e98799cc3216baba3713098ceb06887f13498ecdec7a5e6d450ada34591a9288d06a8c117

Download Submit
C:\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
ad1a092999d352f840e473bbe16eb5eb

SHA1
4a9e7ace62f3d1607151effeddba6d961da57dad

SHA256
ec1d15393a1cc47dc0cba18029e92ec2842701c2f98fce95d4968f9c3a74dcba

SHA512
a4a5cf699bc53975e3c786d63c4eeee2ee0bdcda34e0156313dfd025ed186992519515e86c74bb1810b0671b5cafc8688f0bc873ccc2bd0dae0ff598a51f6f9c

Download Submit
C:\recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
C:\recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
\Recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
\Recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
memory/2512-32-0x0000000000A00000-0x0000000000A4E000-memory.dmp

Filesize
312KB

Download
memory/2512-31-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2512-33-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2512-37-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2512-36-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2512-38-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2512-41-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2512-42-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2512-44-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2576-6-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download
memory/2576-7-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download