gh0strat | 863268e4b23b69e2bff3395be373ea17395c93c2f67bd3c4a77e892b9730bde2

Analysis

max time kernel
139s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 11:50

Target

1c0a6c2808eb59a5577d5d415dd624a4.exe
Size

133KB
MD5

1c0a6c2808eb59a5577d5d415dd624a4
SHA1

9f7b105a35dcb1604726f00c4b57a8cb0af8d99d
SHA256

863268e4b23b69e2bff3395be373ea17395c93c2f67bd3c4a77e892b9730bde2
SHA512

f48ad29a047630e0bbc1fb5752dd8f380d2734734ee3d7c0c148ac7bf5c6359e7067307683f0e67e3c3ba143b066d2cdb4da017f9b13c4d2ccdf0c7e5eafacbf
SSDEEP

3072:3hRciShZh3/nOZcsUhWPtKhXhCIqSS/Au37t0j8J2YJpD:3hKiSdWZcspt6hTLCAu37u8J2YJpD

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4928-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral2/memory/4928-4-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
3752	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\data.dll	1c0a6c2808eb59a5577d5d415dd624a4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\plugin_info.ini	1c0a6c2808eb59a5577d5d415dd624a4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4928	1c0a6c2808eb59a5577d5d415dd624a4.exe
4928	1c0a6c2808eb59a5577d5d415dd624a4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4928	1c0a6c2808eb59a5577d5d415dd624a4.exe
4928	1c0a6c2808eb59a5577d5d415dd624a4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4968	4928	1c0a6c2808eb59a5577d5d415dd624a4.exe	23
PID 4928 wrote to memory of 4968	4928	1c0a6c2808eb59a5577d5d415dd624a4.exe	23
PID 4928 wrote to memory of 4968	4928	1c0a6c2808eb59a5577d5d415dd624a4.exe	23

C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe
"C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe"
  2⤵
  PID:4968

memory/4928-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4928-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download