gh0strat | 6f79d3fe6f776ade4e6c4d71b4abe345e2b45a2efc4c6d1a1ca508aa0f990f50

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d3f78751cfd6487239388b034cb95fb.exe
Size

159KB
MD5

7d3f78751cfd6487239388b034cb95fb
SHA1

225d03be82b3a8e1a2793e172ba3b7bfd2c08c69
SHA256

6f79d3fe6f776ade4e6c4d71b4abe345e2b45a2efc4c6d1a1ca508aa0f990f50
SHA512

50de88ecd80e1e0a1f58924f5afda666cfea028d6d16a0c8cd89339976a30c36b716a5eb3e5171237ebb5a0f4292ceb3b80d5453b707793ae684c054623a321e
SSDEEP

3072:Wej6psFmhQ7cVoQ3TQdwW3iZ8sNqkgq6Whudv:WYcV453GzskgbIK

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/files/0x0033000000015d81-6.dat	family_gh0strat
behavioral1/files/0x0033000000015d81-9.dat	family_gh0strat
behavioral1/memory/2364-10-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/files/0x0033000000015d81-11.dat	family_gh0strat
behavioral1/files/0x000b000000012251-13.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2600	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2600	svchost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Fbcd\Kbcdefghi.gif	7d3f78751cfd6487239388b034cb95fb.exe
File created	C:\Program Files (x86)\Fbcd\Kbcdefghi.gif	7d3f78751cfd6487239388b034cb95fb.exe
File created	\??\c:\Program Files\NT_Path.gif	7d3f78751cfd6487239388b034cb95fb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Prefetch2490700.dll	7d3f78751cfd6487239388b034cb95fb.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2392	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeBackupPrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe
Token: SeRestorePrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe
Token: SeBackupPrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe
Token: SeRestorePrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe
Token: SeBackupPrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe
Token: SeRestorePrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe
Token: SeBackupPrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe
Token: SeRestorePrivilege	2364	7d3f78751cfd6487239388b034cb95fb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2392	2364	7d3f78751cfd6487239388b034cb95fb.exe	16
PID 2364 wrote to memory of 2392	2364	7d3f78751cfd6487239388b034cb95fb.exe	16
PID 2364 wrote to memory of 2392	2364	7d3f78751cfd6487239388b034cb95fb.exe	16
PID 2364 wrote to memory of 2392	2364	7d3f78751cfd6487239388b034cb95fb.exe	16

C:\Users\Admin\AppData\Local\Temp\7d3f78751cfd6487239388b034cb95fb.exe
"C:\Users\Admin\AppData\Local\Temp\7d3f78751cfd6487239388b034cb95fb.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fbcd\Kbcdefghi.gif

Filesize
254KB

MD5
bdd9ad9b7a9263092a7ce7c90ddb3aa0

SHA1
efa6566a2fecd158730b47f369cae298a1783084

SHA256
c54ae0fed9e328a2e01371f85cfd8cfed0ca4e3110b62e815239cfea237bdec3

SHA512
da635c779b88ccc860bbe4bf424ec2481bd9c02d867c4aef5a4c47cedda5fee36b26e5237b3df7343554411179d861f432ac6896a3d04f069999dd0a5f518322

Download Submit
C:\windows\Prefetch2490700.dll

Filesize
148KB

MD5
9f1d33774b068c47ecbde821efcac555

SHA1
65df4b9718e9b958bbc497a691a327c745b8d7e2

SHA256
f74a0be343166ab7fd372019caf295a9e86a081449dc570e2f35a7237ed79407

SHA512
d879e34ef9e119c0e8c5d083f97ad227c7dd89825b3f399aaa92006b1921c08af90b4ee34107f7cb30c7f598d2753aa7c78318ec7a5fa4209c34036d372e28f2

Download Submit
\??\c:\Program Files\NT_Path.gif

Filesize
101B

MD5
0e1683472a73824470403549a313beb6

SHA1
bb56a8f0db6a386d747c5d3450621ac9968d7712

SHA256
8e50d609d8a9e1916a2020fc8b0c2aa7d65a1e3e1f511223dc8284de759852b0

SHA512
931e44071d024493524f6fe19061a5b06abbfd1a0112fb2f68ea40e0f06b0806b2a687f6cb128b7f161d7ea4593284dad14aba617018f85bb555da60f5575cd1

Download Submit
\??\c:\program files (x86)\fbcd\kbcdefghi.gif

Filesize
2.2MB

MD5
66bcb38e32a65d434170fe3d5b46dc17

SHA1
b45efa8cf8df4d6fbfa5255d9abfcb3573407722

SHA256
360456b5cccef484db4d714efd2f939ac3de12b579f584015adfa4284f127862

SHA512
b4bbce0eeee909c56d034a875f8bd476b736f7781de435887c85a2752a37fcd8b6981b6f0b5c44b217defd7f3c8e3c36e68f273dedc50e6a62f8c3fb42e52c35

Download Submit
\Program Files (x86)\Fbcd\Kbcdefghi.gif

Filesize
1.2MB

MD5
99d0f24476dfb148607a6e063e539ba2

SHA1
847252e74a3fdda4ea7ea4dec79c4abb97be341a

SHA256
81ff5392276ed51da57b8b6f1c5ace68e794158579690f3e50d29e302613d81e

SHA512
d8e39639a48bfa6d232a395ae5b31ab38d1571f60690cf41054ecd1a1a1fba56818d6202a0b4aad8e4601c6baf0c87bbdc21aad0882f7f0aee5d0aa4af53431b

Download Submit
memory/2364-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download