gh0strat | dd3d5fe23c62b4fd62f9cbe759e291ab253d36b2a37c4715be8e2943f83f264a

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d065070a809c92aed9e05e0b959f2f.exe
Size

244KB
MD5

01d065070a809c92aed9e05e0b959f2f
SHA1

b6ce0703d1610fb0d9e1e10949bf7f65c93c5867
SHA256

dd3d5fe23c62b4fd62f9cbe759e291ab253d36b2a37c4715be8e2943f83f264a
SHA512

ad9b410aa3c1f8f73cbd77d8cb1699e6a07f272b59c4932ba37a3b5c0b3b5a734c70926562495b4d64a5acb652e2be3102fd5a85877b1d3d0e49e3c1389d1c69
SSDEEP

6144:3mn9qax+S4Re3PCR/Qumn9qax+S4Re3PCR/Q:3Mjxv+6CJQuMjxv+6CJQ

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000600000001e5df-4.dat	family_gh0strat
behavioral2/memory/1596-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral2/memory/1596-26-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral2/memory/1184-25-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1596	Server.exe
1184	Server.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MyInformations.ini	Server.exe
File opened for modification	C:\Windows\MyInformations.ini	Server.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1112	1184	WerFault.exe	91
1124	1596	WerFault.exe	90

Kills process with taskkill 2 IoCs

evasion

pid	Process
4612	taskkill.exe
3044	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1460	01d065070a809c92aed9e05e0b959f2f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1596	1460	01d065070a809c92aed9e05e0b959f2f.exe	90
PID 1460 wrote to memory of 1596	1460	01d065070a809c92aed9e05e0b959f2f.exe	90
PID 1460 wrote to memory of 1596	1460	01d065070a809c92aed9e05e0b959f2f.exe	90
PID 1460 wrote to memory of 1184	1460	01d065070a809c92aed9e05e0b959f2f.exe	91
PID 1460 wrote to memory of 1184	1460	01d065070a809c92aed9e05e0b959f2f.exe	91
PID 1460 wrote to memory of 1184	1460	01d065070a809c92aed9e05e0b959f2f.exe	91
PID 1184 wrote to memory of 4612	1184	Server.exe	93
PID 1184 wrote to memory of 4612	1184	Server.exe	93
PID 1184 wrote to memory of 4612	1184	Server.exe	93
PID 1596 wrote to memory of 3044	1596	Server.exe	92
PID 1596 wrote to memory of 3044	1596	Server.exe	92
PID 1596 wrote to memory of 3044	1596	Server.exe	92

C:\Users\Admin\AppData\Local\Temp\01d065070a809c92aed9e05e0b959f2f.exe
"C:\Users\Admin\AppData\Local\Temp\01d065070a809c92aed9e05e0b959f2f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /t /im ZhuDongFangYu.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 528
    3⤵
    - Program crash
    PID:1124
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /t /im ZhuDongFangYu.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 496
    3⤵
    - Program crash
    PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1184 -ip 1184
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1596 -ip 1596
1⤵
PID:4136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
112KB

MD5
cf04614248480695c6af1ef56b5fb64b

SHA1
22307673f5c2c932b8ec9f651aac64a2b0ddd1e5

SHA256
bf264544d519ba9f5065e2360a6dac559a470fe57ff49887b42a8557e795c563

SHA512
77f0c44bb8efe34a7d0c1efdb69b92bc5aa4c3bab884c8a6472eee59385adfb5a5ec4359033c47668a62f138a91a0a6543bb01f30ed7d0b6cd9adc74db741c2d

Download Submit
C:\Windows\MyInformations.ini

Filesize
303B

MD5
7b9ca5bc9eb53289e1e71a6f4bb8101f

SHA1
051715efb6328121560242eeb56350cce1cf66a0

SHA256
85fdefaefc42009832ee6a3bc398bfe87c65f5132aeac99e028ef138b924ee9c

SHA512
b8aa51dc49a058eca3c6226edce4e55c01853b61be36ab686fbb40e8d33291308386ac2115093f16c69bad0911a44545b76473430688a9cca932b9fd0d62ccb0

Download Submit
memory/1184-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1596-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1596-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download