gh0strat | 4c746db20fe8d91ddd3e1402347b1e43a257d8db7ffa0c9061b891571d632ad2

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60828b0a3aed7ff1459a1e074b09f0dc.exe
Size

172KB
MD5

60828b0a3aed7ff1459a1e074b09f0dc
SHA1

1320999d1a87cc79239da25dbaf607e79f06ee8e
SHA256

4c746db20fe8d91ddd3e1402347b1e43a257d8db7ffa0c9061b891571d632ad2
SHA512

9fb481f68b00cb1b5794e9b721a41363df160ccfd248b7b6b68c7704829ff6aea6ad044e085c6f199441b95ca31049218e7eaf2b714e4fdb4ec10e9dc225a8a3
SSDEEP

3072:sX8gvoZhGH8RiRnvth6y47VFRg6rb1Zb/aQfZ6eiPeqovqw:sX8JZhmZ6yShltZbCVheqoi

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x000000000042B000-memory.dmp	family_gh0strat
behavioral1/memory/2372-7-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/files/0x0009000000015c33-9.dat	family_gh0strat
behavioral1/files/0x000c000000015d03-13.dat	family_gh0strat
behavioral1/memory/2372-15-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/2372-14-0x0000000000400000-0x000000000042B000-memory.dmp	family_gh0strat
behavioral1/memory/3056-19-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/files/0x0009000000015c33-18.dat	family_gh0strat
behavioral1/files/0x000c000000015d03-16.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
3056	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
3056	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Aagj\Urwawooek.bmp	60828b0a3aed7ff1459a1e074b09f0dc.exe
File created	C:\Program Files (x86)\Aagj\Urwawooek.bmp	60828b0a3aed7ff1459a1e074b09f0dc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe
Token: SeRestorePrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe
Token: SeBackupPrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe
Token: SeRestorePrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe
Token: SeBackupPrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe
Token: SeRestorePrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe
Token: SeBackupPrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe
Token: SeRestorePrivilege	2372	60828b0a3aed7ff1459a1e074b09f0dc.exe

C:\Users\Admin\AppData\Local\Temp\60828b0a3aed7ff1459a1e074b09f0dc.exe
"C:\Users\Admin\AppData\Local\Temp\60828b0a3aed7ff1459a1e074b09f0dc.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2837200.dll

Filesize
128KB

MD5
1dfb2e9715ce138f498d3d8c9590d765

SHA1
a1574cf30aff7f92ab0e7896b87a780629f3ab2a

SHA256
054731d0f2a81aff46c5a467b2ddf42a5cc9ae39ee46b7bac836956e00333d29

SHA512
308a27e261857435e7235a2070f7e58cea6290c9d0e52f22bc16a665252e978d50b8310d36303e861dadcd27faa824b931b46081dffefc3e816cef255f172a6c

Download Submit
C:\2837200.dll

Filesize
106KB

MD5
03df342c8a52597294946d391068cc58

SHA1
64b82872b16ba860a303111e810b19a6545bbb16

SHA256
27609b16eacce27c98fb146c84f205b0cabddf701560774a1a1c2a80d9db1edf

SHA512
6631088635d91a9fc13b126797e5135de767e1cc774f65c28874d679b330bfeed437039cd3617c25f0e8ba2843c349a5cad8644a236ef68fe39089f02f15b9df

Download Submit
\??\c:\NT_Path.jpg

Filesize
85B

MD5
46e6856cf2f8fbe501fdefd2adec9044

SHA1
dc201316513caff4672c02dfcc00a847a01e777b

SHA256
377bcb51ac7e75da0e676e697c869c69ff2322eef3f6c3a56ea354457a42b2ef

SHA512
36cbc7c01977f3f1ec033201893674b9d13a2ac23e35fead8656e0930256f425a2128d57fadcbde033b754877a66476541bd1f1d208eafb0b46bac28d05a2caf

Download Submit
\??\c:\program files (x86)\aagj\urwawooek.bmp

Filesize
65KB

MD5
1df57c3524e9a15aefdea9068478ff5e

SHA1
ecaf662afb1b0b9385918f660d5b582600fc7602

SHA256
38d43ab95d08e2036c4868b65dbb119f1a81f444896f32685fdfc87f0606e60b

SHA512
fd7cacf75d65c9bd390235e641d6d6f62b2b409a14ea5b91ea43655bfea9e47a3a644c22dda2724d68b1d6f428019cfb60d5b54c9e01bd503c9d509ad9d2ee21

Download Submit
\Program Files (x86)\Aagj\Urwawooek.bmp

Filesize
78KB

MD5
a022e4a2bc39d729327782492ef485cb

SHA1
4d5d678e50683a7ee8e186fb992b6bc287753d94

SHA256
d08984574cea751a7e9db12649ac750ca136c4326683676394010c920773a1e2

SHA512
a9c1b1aaad1040f5e0429e2053ac5afb93900b07f89cf7980289b67a0528a67b45abf86d233120871e2fdc06567dd712e74fbeb9dfd3e448bd6467058bce09bd

Download Submit
memory/2372-5-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/2372-4-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/2372-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2372-7-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2372-15-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2372-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-19-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download