gh0strat | df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
Size

1.2MB
MD5

ee314caa19f51ff2010bf31bd89c0d45
SHA1

54579d7258c887b2ffbcc963d0f090b9fec91931
SHA256

df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c
SHA512

64bc4978c4e09cfec6aa8166d20db5e11d83b086c7c3ba7727ac1d1c7174c7b3fe9b717f536d28c47e58023370389e03f6ec34b40f13002cd93f7b0cf5fe52ad
SSDEEP

24576:5068q4ii3ZfYGKGKrBJXkvkrcwlyDghKFroghjeezMjjm6JK0Sx0p0t:Otr339YGKGKv9czgh0vaeWvJK0gH

Score

10^/10

gh0strat rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1976-16-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1976	cellinst.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3012-0-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect
behavioral2/memory/3012-1-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect
behavioral2/memory/3012-2-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect
behavioral2/memory/3012-19-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect
behavioral2/memory/3012-20-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1976	cellinst.exe
Token: SeIncBasePriorityPrivilege	1976	cellinst.exe
Token: 33	1976	cellinst.exe
Token: SeIncBasePriorityPrivilege	1976	cellinst.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3012	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
3012	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
3012	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1976	3012	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe	91
PID 3012 wrote to memory of 1976	3012	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe	91
PID 3012 wrote to memory of 1976	3012	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe	91

C:\Users\Admin\AppData\Local\Temp\df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
"C:\Users\Admin\AppData\Local\Temp\df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\DTLSoft\cellinst.exe
  C:\DTLSoft/cellinst.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DTLSoft\cellinst.exe

Filesize
157KB

MD5
b3552383b487952719515797547cf364

SHA1
2bc3c0bdba5cca55164cb3dc501a0f3053d1b2ee

SHA256
2b63a639e04027aa80d6378a604907e4338a32d7e4749ee6db8cc56b9402607e

SHA512
e0fde14d74f678f306bfd009294f7b8a5ce97f4b27676d2794554a611ea91ce673ba07a3a15c7d04f42b1d1a61312a8f8c60629aae62f0215306c9bfe99487ab

Download Submit
C:\DTLSoft\cellinst.exe

Filesize
142KB

MD5
dc7ee23ae926245cc363f057c7451efa

SHA1
815de1c4ea8d6b43fbf99c0da04d873a38325358

SHA256
b52b52d1843a7794cab03472a73e067017d8e6d8a4d1c95ebb77a162efc38558

SHA512
2bae74a915d83c9e55b1a3b839444746375e6990c2158aeb3c338944bbea70a1e571f2b2031f9569d8f0908a81ce931846e1edf84bf8de9437a2daff92cab091

Download Submit
memory/1976-16-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/3012-0-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download
memory/3012-1-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download
memory/3012-2-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download
memory/3012-19-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download
memory/3012-20-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download