gh0strat | 04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
21/11/2023, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
Size

1.0MB
MD5

3374fbe1f5275dbe9c4cc5c0d1f3d68a
SHA1

7b0dc5e6344ee69e65c2f2de081c6974f1b47108
SHA256

04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067
SHA512

04b544faddea26106b37035b22d8783ce9e531e71defb007974d0e404a0318aa27aa28d495880bb83b4fa66763136a1ed4119ee8bdd1d2c777fc30252f8d7798
SSDEEP

24576:j5ivkcQJmbrZHv4H8dB6TPuyBez8O89E8ZHLC:jQOuVHv4H8dB6TPzBuo9E+W

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2220-8697-0x0000000000400000-0x0000000000573000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe

C:\Users\Admin\AppData\Local\Temp\04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe
"C:\Users\Admin\AppData\Local\Temp\04fa91caed041e182fc2781093b24b479172ea1af61f357fef168af63c611067.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: RenamesItself
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2220-0-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2220-1-0x0000000077270000-0x00000000772B7000-memory.dmp

Filesize
284KB

Download
memory/2220-814-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-816-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-812-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-811-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-820-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-818-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-822-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-826-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-824-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-828-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-830-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-832-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-834-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-838-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-836-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-840-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-842-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-844-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-846-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-850-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-854-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-858-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-856-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-852-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-848-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-860-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-862-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-864-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-868-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-866-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-872-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-870-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-2547-0x0000000002010000-0x0000000002191000-memory.dmp

Filesize
1.5MB

Download
memory/2220-8686-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2220-8693-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2220-8697-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download