gh0strat | 5aed908d395713669be6212e15714d5d74b8eb3c4550fa2c5fbb1ce5823f0fae

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09d3f0f050f31badbd8bf62b5011f4b0.exe
Size

100KB
MD5

09d3f0f050f31badbd8bf62b5011f4b0
SHA1

ad42bf7ef03183dd81e57ce8cd9ebe3f4ee51fba
SHA256

5aed908d395713669be6212e15714d5d74b8eb3c4550fa2c5fbb1ce5823f0fae
SHA512

d440f96d9529571e4f5f7d1f594b88c82fdb09dd02bf9ef66d876a1541df68dd49a5dcc3f965bc12481e3729bde220d6d1d3e5f6761baa932973a6808b794491
SSDEEP

3072:iVOMX+J+P3iWziVFsQvVQMEqSrNdaeCkCZiqgXa:iVOMX/viWziHxvVmHNofZZiqgK

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1096-8-0x0000000000400000-0x000000000041B640-memory.dmp	family_gh0strat
behavioral1/memory/1096-7-0x0000000000401000-0x000000000041C000-memory.dmp	family_gh0strat
behavioral1/memory/2964-3-0x00000000004E0000-0x00000000004FC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2772	sc.exe
2616	sc.exe
2572	sc.exe
2092	sc.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
2496	taskkill.exe
2928	taskkill.exe
2600	taskkill.exe
2596	taskkill.exe
2608	taskkill.exe
1736	taskkill.exe
2036	taskkill.exe
2292	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2964	09d3f0f050f31badbd8bf62b5011f4b0.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe
Token: SeDebugPrivilege	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1108	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	59
PID 2964 wrote to memory of 1108	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	59
PID 2964 wrote to memory of 1108	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	59
PID 2964 wrote to memory of 1108	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	59
PID 2964 wrote to memory of 2972	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	58
PID 2964 wrote to memory of 2972	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	58
PID 2964 wrote to memory of 2972	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	58
PID 2964 wrote to memory of 2972	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	58
PID 2964 wrote to memory of 2148	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	56
PID 2964 wrote to memory of 2148	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	56
PID 2964 wrote to memory of 2148	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	56
PID 2964 wrote to memory of 2148	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	56
PID 2964 wrote to memory of 2092	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	54
PID 2964 wrote to memory of 2092	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	54
PID 2964 wrote to memory of 2092	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	54
PID 2964 wrote to memory of 2092	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	54
PID 2964 wrote to memory of 2036	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	16
PID 2964 wrote to memory of 2036	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	16
PID 2964 wrote to memory of 2036	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	16
PID 2964 wrote to memory of 2036	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	16
PID 2964 wrote to memory of 1736	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	51
PID 2964 wrote to memory of 1736	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	51
PID 2964 wrote to memory of 1736	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	51
PID 2964 wrote to memory of 1736	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	51
PID 2964 wrote to memory of 2572	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	50
PID 2964 wrote to memory of 2572	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	50
PID 2964 wrote to memory of 2572	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	50
PID 2964 wrote to memory of 2572	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	50
PID 2964 wrote to memory of 2608	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	49
PID 2964 wrote to memory of 2608	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	49
PID 2964 wrote to memory of 2608	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	49
PID 2964 wrote to memory of 2608	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	49
PID 2964 wrote to memory of 2596	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	48
PID 2964 wrote to memory of 2596	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	48
PID 2964 wrote to memory of 2596	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	48
PID 2964 wrote to memory of 2596	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	48
PID 2964 wrote to memory of 2668	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	47
PID 2964 wrote to memory of 2668	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	47
PID 2964 wrote to memory of 2668	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	47
PID 2964 wrote to memory of 2668	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	47
PID 2964 wrote to memory of 2672	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	46
PID 2964 wrote to memory of 2672	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	46
PID 2964 wrote to memory of 2672	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	46
PID 2964 wrote to memory of 2672	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	46
PID 2964 wrote to memory of 2940	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	43
PID 2964 wrote to memory of 2940	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	43
PID 2964 wrote to memory of 2940	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	43
PID 2964 wrote to memory of 2940	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	43
PID 1108 wrote to memory of 2664	1108	net.exe	42
PID 1108 wrote to memory of 2664	1108	net.exe	42
PID 1108 wrote to memory of 2664	1108	net.exe	42
PID 1108 wrote to memory of 2664	1108	net.exe	42
PID 2964 wrote to memory of 2616	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	41
PID 2964 wrote to memory of 2616	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	41
PID 2964 wrote to memory of 2616	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	41
PID 2964 wrote to memory of 2616	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	41
PID 2964 wrote to memory of 2600	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	40
PID 2964 wrote to memory of 2600	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	40
PID 2964 wrote to memory of 2600	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	40
PID 2964 wrote to memory of 2600	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	40
PID 2964 wrote to memory of 2928	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	38
PID 2964 wrote to memory of 2928	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	38
PID 2964 wrote to memory of 2928	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	38
PID 2964 wrote to memory of 2928	2964	09d3f0f050f31badbd8bf62b5011f4b0.exe	38

C:\Users\Admin\AppData\Local\Temp\09d3f0f050f31badbd8bf62b5011f4b0.exe
"C:\Users\Admin\AppData\Local\Temp\09d3f0f050f31badbd8bf62b5011f4b0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  PID:1096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  PID:2292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  PID:2496
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:2772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  PID:2928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  PID:2600
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:2616
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:2940
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2672
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  PID:2596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  PID:2608
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:2572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  PID:1736
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:2092
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:2148
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  PID:1676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop System Restore Service
1⤵
PID:1956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
1⤵
PID:2336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
1⤵
PID:2724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop System Restore Service
1⤵
PID:2756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
1⤵
PID:2580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
1⤵
PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-8-0x0000000000400000-0x000000000041B640-memory.dmp

Filesize
109KB

Download
memory/1096-7-0x0000000000401000-0x000000000041C000-memory.dmp

Filesize
108KB

Download
memory/2964-3-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download