gh0strat | 31d3bdb8c4e66a3caae247c80082484398cc8bc21849fd7ee836cde6d8a19356

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a2480e2b9dda4bd4a8b63d633fd05ed.exe
Size

196KB
MD5

7a2480e2b9dda4bd4a8b63d633fd05ed
SHA1

509ab04dcb2b3785bd9579dfd4380aa56c1a106d
SHA256

31d3bdb8c4e66a3caae247c80082484398cc8bc21849fd7ee836cde6d8a19356
SHA512

61855d9a0b5b42c7dda5ba03a6635308fbe108f7f61205e3c0ff30a51081c0cb17393562ef243d399ce21d07d53743ee421ec926d2254832e20b56076789ddb5
SSDEEP

3072:n1Y8t7VChoFw4gbA/zftSF97RdPcurK77S3YcI:hChcYLRBNK77SU

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000c000000016c1a-6.dat	family_gh0strat
behavioral1/files/0x000c000000016c1a-7.dat	family_gh0strat
behavioral1/files/0x000c000000016c1a-11.dat	family_gh0strat
behavioral1/files/0x000c000000016c1a-9.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2112	carss.exe

Loads dropped DLL 5 IoCs

pid	Process
2236	7a2480e2b9dda4bd4a8b63d633fd05ed.exe
2112	carss.exe
2112	carss.exe
2112	carss.exe
2112	carss.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\carss.exe	7a2480e2b9dda4bd4a8b63d633fd05ed.exe
File opened for modification	C:\Program Files\Internet Explorer\carss.exe	7a2480e2b9dda4bd4a8b63d633fd05ed.exe
File created	C:\Program Files\Internet Explorer\FuckBaby.dll	7a2480e2b9dda4bd4a8b63d633fd05ed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2112	2236	7a2480e2b9dda4bd4a8b63d633fd05ed.exe	28
PID 2236 wrote to memory of 2112	2236	7a2480e2b9dda4bd4a8b63d633fd05ed.exe	28
PID 2236 wrote to memory of 2112	2236	7a2480e2b9dda4bd4a8b63d633fd05ed.exe	28
PID 2236 wrote to memory of 2112	2236	7a2480e2b9dda4bd4a8b63d633fd05ed.exe	28

C:\Users\Admin\AppData\Local\Temp\7a2480e2b9dda4bd4a8b63d633fd05ed.exe
"C:\Users\Admin\AppData\Local\Temp\7a2480e2b9dda4bd4a8b63d633fd05ed.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files\Internet Explorer\carss.exe
  "C:\Program Files\Internet Explorer\carss.exe" "C:\Program Files\Internet Explorer\FuckBaby.dll" rukou
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\FuckBaby.dll

Filesize
2.2MB

MD5
60b1a121f5f809ab3ebc6dfe53ef8f1a

SHA1
8015860461d151958bf0883c0b04203e78310f39

SHA256
b5ec4a4bb5b55b75d339f9f4f8684a6b72464b6a5e2e754f6f4d118242772f6e

SHA512
21abdbcf2e99159f48478afeb03ddc1dcc90465542d16bf318972f69ade546d9eb02106717cc148ea970ba537c7d5433f40c702aef1cde9e59e0c1e386e7fa27

Download Submit
\Program Files\Internet Explorer\FuckBaby.dll

Filesize
19.3MB

MD5
737b6cebba9fa2dbc02547ed4742d8fa

SHA1
3bf50d41b43b445394465c88b8d8f373b548ff23

SHA256
4aec1e62faa747c97011ecb3bacd44025d3b442a4db9b08e991e71376ecdd009

SHA512
28a4b1f0d56fbb97332edca9e017b511ec012288c24cfb3b27f98212ad239235736c97a9c67ab26acfafe60e5d835180f656ce4f1880a833b110a5123e9fdf58

Download Submit
\Program Files\Internet Explorer\FuckBaby.dll

Filesize
4.8MB

MD5
e778dde9a22dc69ca710af3c4d3abcfe

SHA1
68abba19382962a4acddb8cff495261db182b5cb

SHA256
602758282fc9ff38520825e925580ec4a8f1bc7292f6bc7d79ff48d8c183b5cc

SHA512
88a5b3313b137739ef5e1d03fffaa1f106eed64ef88f7de5142e6b17466117d03e8e76a3d03d605dd1649e1544487ddf7e31ec7e9a538153b0c69afafd528119

Download Submit
\Program Files\Internet Explorer\FuckBaby.dll

Filesize
20.1MB

MD5
89846bbc01d748fb93050314ddc30584

SHA1
5bccce6fcaef1d887483c1013aa34eedbc56ccd0

SHA256
3673b7143e461f3fe4686b7f467c5f8e5778f0106eaf9f38e9c58122fc6e818c

SHA512
2f50c74c6cd240ba3c5bed5750412a0962b417664dff05cbb0624ac003832ba3065b207e39d13ab37595244dc1fd4791c2fd46c9f1c1119cdc7f6e0c320f5446

Download Submit
\Program Files\Internet Explorer\carss.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit