gh0strat | ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4

Analysis

max time kernel
190s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 13:50

Target

ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe
Size

600KB
MD5

5139ade75af37250e97b19f76a532621
SHA1

94e76438bca9b7786e917b344f7cce319eb53f34
SHA256

ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4
SHA512

1ef0e4c8f4ec46146c2de88b40d25ba43ac76437de81458cffae87fa5a8030b4176a3d4e59470066318d8fcf9cb0aeeebda6c4c9d51b721af5dbeca22c6e8c7a
SSDEEP

6144:8PIP+niD5Gcc8419jmjA3c8lDPj2DLxrj61wW1wNE1wUzA:8P3iw8yaA3c8VGxvmH44n

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2692-3-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat
behavioral1/memory/2564-20-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Gwcggu.com

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2568	Gwcggu.com
2564	Gwcggu.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\Gwcggu.com	ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe
File opened for modification	C:\windows\Gwcggu.com	ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2692	ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe
Token: 33	2564	Gwcggu.com
Token: SeIncBasePriorityPrivilege	2564	Gwcggu.com
Token: 33	2564	Gwcggu.com
Token: SeIncBasePriorityPrivilege	2564	Gwcggu.com

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2564	2568	Gwcggu.com	31
PID 2568 wrote to memory of 2564	2568	Gwcggu.com	31
PID 2568 wrote to memory of 2564	2568	Gwcggu.com	31
PID 2568 wrote to memory of 2564	2568	Gwcggu.com	31
PID 2692 wrote to memory of 2616	2692	ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe	30
PID 2692 wrote to memory of 2616	2692	ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe	30
PID 2692 wrote to memory of 2616	2692	ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe	30
PID 2692 wrote to memory of 2616	2692	ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe	30

C:\Users\Admin\AppData\Local\Temp\ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe
"C:\Users\Admin\AppData\Local\Temp\ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AE0E44~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2616

C:\Windows\Gwcggu.com

Filesize
600KB

MD5
5139ade75af37250e97b19f76a532621

SHA1
94e76438bca9b7786e917b344f7cce319eb53f34

SHA256
ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4

SHA512
1ef0e4c8f4ec46146c2de88b40d25ba43ac76437de81458cffae87fa5a8030b4176a3d4e59470066318d8fcf9cb0aeeebda6c4c9d51b721af5dbeca22c6e8c7a

Download Submit
C:\input.txt

Filesize
4B

MD5
250413d2982f1f83aa62a3a323cd2a87

SHA1
3c24f257fbe14b58141a0ab7dbd5484c1d561f2c

SHA256
54a462dce3c1abb2b43ba63a42bc391fa5561bfeafe737bd1f4845b902ffbfe3

SHA512
e62538b99ca820e4ef2c24da6dc2afbe963c6793f0f7a93dbc231bdf44b77baa288d4ed18e8b05a3e5446454029d127fa54ead1c5fd9d7ff91fa21006e12f699

Download Submit
memory/2564-20-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2692-3-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download