gh0strat | 2792eec62979b6f74a5ed6a4670a02b6761c44cf2ab5a1507e8e5d88be7978fe

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 14:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f662a18ee3ec945f2cce255c9daadf2.exe
Size

100KB
MD5

8f662a18ee3ec945f2cce255c9daadf2
SHA1

095cc47f38120efa6b715e69259990add9c622d8
SHA256

2792eec62979b6f74a5ed6a4670a02b6761c44cf2ab5a1507e8e5d88be7978fe
SHA512

004e83fb43448338cb4b6d5d452a311547bca9421fd1ce9cd2775fda1049a595f8091e463fe4b3d9b4ee9af0a9ffce1b82ef39a7012d5983e2735174fa05012a
SSDEEP

3072:19MX5uF1LpwRvk8NS+ZygBBWBynXMONO4yzf:19MUndAkkqQBCynMp

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/548-0-0x0000000000400000-0x000000000041A000-memory.dmp	family_gh0strat
behavioral2/files/0x000d000000023167-3.dat	family_gh0strat
behavioral2/files/0x000a00000002322e-12.dat	family_gh0strat
behavioral2/memory/548-13-0x0000000000400000-0x000000000041A000-memory.dmp	family_gh0strat
behavioral2/files/0x000a00000002322e-14.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
3340	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
548	8f662a18ee3ec945f2cce255c9daadf2.exe
3340	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/548-0-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/548-13-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\main.jpg	8f662a18ee3ec945f2cce255c9daadf2.exe
File created	C:\Program Files (x86)\Common Files\main.jpg	8f662a18ee3ec945f2cce255c9daadf2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe
Token: SeRestorePrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe
Token: SeBackupPrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe
Token: SeRestorePrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe
Token: SeBackupPrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe
Token: SeRestorePrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe
Token: SeBackupPrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe
Token: SeRestorePrivilege	548	8f662a18ee3ec945f2cce255c9daadf2.exe

C:\Users\Admin\AppData\Local\Temp\8f662a18ee3ec945f2cce255c9daadf2.exe
"C:\Users\Admin\AppData\Local\Temp\8f662a18ee3ec945f2cce255c9daadf2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\147800.dll

Filesize
68KB

MD5
6bff429b0362918b12bb215b5c77ee6c

SHA1
5469b427ad81883d43113af0ccbca75d22ba893e

SHA256
a270e0ed984f02be054c367fc68b7ad66c646ffbd8592760c18e239016eec91e

SHA512
e92f47f503fcf9c5e58b3d203d0427082914d7f1812e43b4c7c2fb773e9fb2431d28178359d70e35dbaa29ee3011edec51976524662890821dff59ff5c2e877c

Download Submit
C:\Program Files (x86)\Common Files\main.jpg

Filesize
1.7MB

MD5
497d975a91b4915a65a79b98e7c64320

SHA1
b2ec0025d1c07effd7145d829cff2b932fe7c390

SHA256
fa13aa8fdd20b370fcce9bc39db2298ec51ed6afa1ebaf217f35426b1998eac1

SHA512
9942354d9afcc0e16b4c228328c6755cbfbf5feb1c4ca9967af165f69026898ce8da335c4e47c662d3e38655623a540b440fba21a7e08eca41482e52b5a2bdf2

Download Submit
C:\WinWall64.bmp

Filesize
84B

MD5
6f6fa595f0a127ff35d58f18d2aeeeec

SHA1
a7aff056e6ff345ec72f49f2832405ea9e10cf5e

SHA256
03da8abcc3ad2284540af47e621bd61f08cec40f0760c3bb71c24f02af742a2d

SHA512
041df0c1e67839172fe95007f12ce393e60d21e2d74bd5a4f2bb2dd0354ac7fef689d0b8469ac68c4f475ec3729194fb3b5e67456eb40587f81f1ddc64da500f

Download Submit
\??\c:\program files (x86)\common files\main.jpg

Filesize
1.4MB

MD5
2b12af737ca94f16138929de9d993cf5

SHA1
38b48d87830722cea3a1c5d55e685dbfbd5b070d

SHA256
b3aa903ad85f051fcbaff256b0df387b928d3bdafb73ae90d51666f8c7d8e2d8

SHA512
70b383ffdc21e5f651985d289bba40b60998a9dad2ee3b327dfcebe9fc2d58a1c3ed7fcc3333cdef78266996714a6cab146529e0c18840130505b13a778e8ee8

Download Submit
memory/548-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/548-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download