gh0strat | 9b79ae4fc2a6864490deea288285d389126cc67f9fb2e7a8eec82c1dc8508a0c

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46ec523cbc3e0500e95fe56c7f4379ef.exe
Size

151KB
MD5

46ec523cbc3e0500e95fe56c7f4379ef
SHA1

9ba163609216725c694a68fd03c6e855127801fc
SHA256

9b79ae4fc2a6864490deea288285d389126cc67f9fb2e7a8eec82c1dc8508a0c
SHA512

1a4bf147ecde08b58e3376df78e9a5977ef4e867cff1eff49239e2caae6ce5c15a0f2a6875f5e1dcb781476651345229fe42d0beb472825440e283d7ecc3a22f
SSDEEP

3072:bPJz5C9qblUloHkRz9Vg6cBLGKip8Fk6k47SUyC57EI:bPwoH+5IoK2Gjk42x2wI

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x003b00000001508a-5.dat	family_gh0strat
behavioral1/files/0x000c000000012329-11.dat	family_gh0strat
behavioral1/files/0x003b00000001508a-9.dat	family_gh0strat
behavioral1/files/0x003b00000001508a-8.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2832	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2832	svchost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Centerv.gzip	46ec523cbc3e0500e95fe56c7f4379ef.exe
File created	C:\Program Files (x86)\Common Files\Centerv.gzip	46ec523cbc3e0500e95fe56c7f4379ef.exe
File created	\??\c:\Program Files\NT_Path.gif	46ec523cbc3e0500e95fe56c7f4379ef.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Prefetch3214000.dll	46ec523cbc3e0500e95fe56c7f4379ef.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2776	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeBackupPrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe
Token: SeRestorePrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe
Token: SeBackupPrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe
Token: SeRestorePrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe
Token: SeBackupPrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe
Token: SeRestorePrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe
Token: SeBackupPrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe
Token: SeRestorePrivilege	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2776	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe	28
PID 1236 wrote to memory of 2776	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe	28
PID 1236 wrote to memory of 2776	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe	28
PID 1236 wrote to memory of 2776	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe	28
PID 1236 wrote to memory of 2776	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe	28
PID 1236 wrote to memory of 2776	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe	28
PID 1236 wrote to memory of 2776	1236	46ec523cbc3e0500e95fe56c7f4379ef.exe	28

C:\Users\Admin\AppData\Local\Temp\46ec523cbc3e0500e95fe56c7f4379ef.exe
"C:\Users\Admin\AppData\Local\Temp\46ec523cbc3e0500e95fe56c7f4379ef.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Centerv.gzip

Filesize
1.4MB

MD5
cf7aacf7b195b6c4b91d3ea67656647e

SHA1
e60b5c9bd1a00c9157f11f2e2c30f8f8b1d84a57

SHA256
96ea4d2fba42ae22b909becd653959eb4ec046c3599e0aa9364a406aec199cc3

SHA512
817c6d12f7b0727b9117bd4e823141338622bbb17ad42284ea2be494080fc51f4fcec5007643eb073892d4e427ed891239bc1f25172e3e34c6ea3f72d33181e1

Download Submit
C:\windows\Prefetch3214000.dll

Filesize
138KB

MD5
5d91bd50d7e85a153f9b7db0a7823b03

SHA1
8346fda6c02065875bcca8e2099cf5fa24c6c901

SHA256
9eba1c21031c586dd7d50f5b5457c0ae435752c233e140f8d935dcc3d61f9d86

SHA512
242600fc7d02d6dfec096ed8bc95c4fd12849b5971a2dc6c42395ec8b04fcceb9a01f430d4aaf0cd598eca314c60878b92f87503b219bed890b1df78b7a98d82

Download Submit
\??\c:\Program Files\NT_Path.gif

Filesize
101B

MD5
a8da48403733ab628e8c67b6cbc097d7

SHA1
a12892ecbcb448fbf38fc14db9a16b14feb31b11

SHA256
93986bde94b5531b0c1aaeee740861f08a0e32bdb4275c9e69919f248c657895

SHA512
7e868d02ca234038453dd85b7fa78a77e93ad23985ad4853b2de76dada84ef4489eda82fc140c862b017e75e7be24bbc03a5e87631060f8196f16978b006ac43

Download Submit
\??\c:\program files (x86)\common files\centerv.gzip

Filesize
832KB

MD5
f53e590b1f964f7a6a14d257e70e1681

SHA1
b058db1ed176c3ca804679fdb81f38c05c6b8a70

SHA256
b6f52b28a2e3f538bbf6950890897feaaad1aced39efa092b458f3806cb3b07a

SHA512
9dea3abe7e90e0008075ecfb2a4854bd2e3e6b23f6594f40c32316088b75b43a6502dce2d27be35acaa1cb7893dd3aa0069b594819719d9a468b14aa578b5f9f

Download Submit
\Program Files (x86)\Common Files\Centerv.gzip

Filesize
1024KB

MD5
516a7b9c8b082b46fe83caeb795c45de

SHA1
9b318ea564b6cc01db5737cc63d012dc2f82d2df

SHA256
881d49ab66c7863bba26e9681d89a6fc03cbf2f858d29fa1a53e2949d3e0fe17

SHA512
7fd39d6e50da40e3e78214a8c192763b1dfe31d155e5293ff2a7934cfef785b9fef34a46ffc0370e93ad944e6709adced51482cf461970f98f0e8782f286f081

Download Submit