gh0strat | 0c4a267e3233ac96ba552df7bff70f74aa969c336b85f02db91f3bc3b9d77282

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ae69887ef3f94d70a5ce45811f34511.exe
Size

126KB
MD5

2ae69887ef3f94d70a5ce45811f34511
SHA1

afd7ed6f105d9476ea0993b4613dfdfc6cbe7383
SHA256

0c4a267e3233ac96ba552df7bff70f74aa969c336b85f02db91f3bc3b9d77282
SHA512

7c94535ae2c921a5f47afca2569103aeeb9ffa927f4afc217002dfc6024f0a3d171d417ab3724b599179cc46fd6e025bdb451e3523f99a0af486e03dba86aa4e
SSDEEP

3072:d1UNGB+I0Oy8uIqn904rKttHkoIIuZkfiXqCYNg:d1UQpu8Hqm4wKodkkqXBm

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014bcc-5.dat	family_gh0strat
behavioral1/files/0x000b000000014bcc-8.dat	family_gh0strat
behavioral1/files/0x000c000000012251-11.dat	family_gh0strat
behavioral1/files/0x000b000000014bcc-9.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
3024	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Fbcd\Kbcdefghi.gif	2ae69887ef3f94d70a5ce45811f34511.exe
File created	C:\Program Files (x86)\Fbcd\Kbcdefghi.gif	2ae69887ef3f94d70a5ce45811f34511.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe
Token: SeRestorePrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe
Token: SeBackupPrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe
Token: SeRestorePrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe
Token: SeBackupPrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe
Token: SeRestorePrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe
Token: SeBackupPrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe
Token: SeRestorePrivilege	2896	2ae69887ef3f94d70a5ce45811f34511.exe

C:\Users\Admin\AppData\Local\Temp\2ae69887ef3f94d70a5ce45811f34511.exe
"C:\Users\Admin\AppData\Local\Temp\2ae69887ef3f94d70a5ce45811f34511.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1976400.dll

Filesize
112KB

MD5
339e612cfa378411cff35260fe3084a0

SHA1
cc9e82478958e14d7b3a7d404ada2d5745ae3b8e

SHA256
7d1220a54ae455ce49db678c94b275191585fecb4d4c8d6aee9a3421eaa65289

SHA512
fe1caa47b925296528ed549210756cb890ea735ed56a3d451e0af61f8b83bdbcda6404a91111b632154e0276e3c88c98eef11edd7dd140f31045d57dfec4839f

Download Submit
C:\Program Files (x86)\Fbcd\Kbcdefghi.gif

Filesize
64KB

MD5
b6c21624cda6bde61e6024ce54a94625

SHA1
70ef1b6c2f12da2e0122c16c257e2c168e1eda23

SHA256
6d271b48b700ee55edc04b07754c798bfa361f33d50dee2dd2799057d08ee7a5

SHA512
140410ed3b3ae87ffde8bba55e5b030589ddf4de42bd76632fa5f23fd90afadad2d9d7393fb64e6fe17614df58a18d9b6bc72ea614099c4ff80915c979edaa43

Download Submit
C:\WinWall32.gif

Filesize
85B

MD5
a48e98ecf182f163c5991b16fc651e4f

SHA1
9ebc36290c9816ce81145c31b028d5da11550d5b

SHA256
af53678c8866f7477471677da1244e737cc84ae875bef07d2874cee999cd9097

SHA512
7c75b971e0068043fc75e935effa81d36f78eb2b13944a944dff873f2a1963ac6d69d97f7b6a5dce58154484f0fc1fbd69db56071764320ce6b07a849e9c185f

Download Submit
\??\c:\program files (x86)\fbcd\kbcdefghi.gif

Filesize
1.4MB

MD5
75ca5a959410f179ca80741f16026988

SHA1
f40ec9ff843349d0e52c223a73aa85f39f404fac

SHA256
4be67fce4758b3fd0459e7cd78ae7fe451cefc4820e09aad25b42273a10249c4

SHA512
83125358e4d2266bf03ccee77b994293169e5c923b45f10fde637f23f42ba6ea65ec2a94a0e43db21f9508144a0533f961138f72392b52ef66c211301bfe1f74

Download Submit
\Program Files (x86)\Fbcd\Kbcdefghi.gif

Filesize
1.1MB

MD5
a8e0f4e9e70277a8201e2b1511ca3770

SHA1
7ce996141cf108a393ef280f28ff680f60339cac

SHA256
f72e582d73b2beb087246f7eada144ca9b8ac0b83116e5f4292d4b499ca35a2f

SHA512
6057cae67d1682e7d4b5690de4f34dafd101ec843a7a9d5dd3242526c83dab2ddac1e153deb55afa24c103889b69f709fccc3337f2f8fbbfe7b53a50a324d3e5

Download Submit