gh0strat | f91f7d2f20f139671e090f1cc306ee0c8cbd38e93bf6f1aaaf2a2c78578108a3

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de562c48fda5d3480a2ea2eec88acca1.exe
Size

184KB
MD5

de562c48fda5d3480a2ea2eec88acca1
SHA1

2ffc4d7479921d5acc16fec68e19b1f16f63adbe
SHA256

f91f7d2f20f139671e090f1cc306ee0c8cbd38e93bf6f1aaaf2a2c78578108a3
SHA512

00e6aabbcaa0c7c6edd25ec9c3a6fbbd702d1c6756ae6ce22b0fbab6dcb2c61ac6e1239a80fd3938a45f2aafc1b735cd4076715d111ecf9c42f153b2e1d9aa89
SSDEEP

3072:dcWYIOJtL7tPQGYnNnVzamxH/tiZ+1cfk4Twy6rYGPemov:qWYFFGnV7Ztmffk6wyKYeemo

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000d000000015626-5.dat	family_gh0strat
behavioral1/files/0x000d000000015626-8.dat	family_gh0strat
behavioral1/files/0x000d000000015626-9.dat	family_gh0strat
behavioral1/files/0x0009000000014b70-11.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1344	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1344	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Xccr\Duieaqqrj.jpg	de562c48fda5d3480a2ea2eec88acca1.exe
File created	C:\Program Files (x86)\Xccr\Duieaqqrj.jpg	de562c48fda5d3480a2ea2eec88acca1.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\temp2251400.dll	de562c48fda5d3480a2ea2eec88acca1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	de562c48fda5d3480a2ea2eec88acca1.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe
Token: SeRestorePrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe
Token: SeBackupPrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe
Token: SeRestorePrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe
Token: SeBackupPrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe
Token: SeRestorePrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe
Token: SeBackupPrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe
Token: SeRestorePrivilege	1988	de562c48fda5d3480a2ea2eec88acca1.exe

C:\Users\Admin\AppData\Local\Temp\de562c48fda5d3480a2ea2eec88acca1.exe
"C:\Users\Admin\AppData\Local\Temp\de562c48fda5d3480a2ea2eec88acca1.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Xccr\Duieaqqrj.jpg

Filesize
3.9MB

MD5
2efe851260e45463425fd510576c045f

SHA1
bcff36ce291f5b7748fb39228ef98c7b17db22dc

SHA256
7106965baa8dc0ada92b5ccf6f35e939e8a30ac26b3b82831d6d33e2676afc9c

SHA512
0f89971dddde87081faad2d4706aa0102a82a78900b50e4293f0ef1ec9b0b7fdf4791a8e0bbac658b20f3971781e62d42768a30cb828de8abeffccc5226bdb89

Download Submit
C:\windows\temp2251400.dll

Filesize
109KB

MD5
8828481d3461d7ef1350fc7b72e6fff3

SHA1
4e564d76022b84075ea39e0054254d0b37def9a9

SHA256
f3a2f06bb2280be3194ed6d576ed772599003af14326c220f2c501d1a55265e9

SHA512
8f5f68f6d716657b9b93ba773f2115da2b3f556b4c0e19ff815267d6455ef69533c2f52730936b7e58617a1fbb941b64f2237d1d8973fc8d2588407e16d0ea89

Download Submit
\??\c:\NT_Path.old

Filesize
97B

MD5
62d9abf10cd54655848bef14ecc7d31f

SHA1
ecc03bf25a1a6eae71d9c158a8e6e9b0d2fc6bd2

SHA256
3dd33f72486cbd87335236e355a667840dd9e485700597d65462c6a2a4bf28da

SHA512
d4716c5eeb1afaf200fcad0a7dc5f050813366390c5d1826dcb2f07a07dbb631c4793cc8a191c43c5b7654b8b6081fb5e529f4c168baaf334a397b16d31fe516

Download Submit
\??\c:\program files (x86)\xccr\duieaqqrj.jpg

Filesize
2.2MB

MD5
89d6b92423f773959c52a9131977a8ef

SHA1
356b12451ee97d9b28b76f2108bff9cc813da318

SHA256
9184bd80385f38181263d51706a47480a72f57dffcfdd9fdb4930206b96d1f8c

SHA512
f5874be63d0275443bb09485e7a152254795faf2ea0bad751ab55237932d3fff670b3d898db98aa513e197f662fd0a566d21bb174c6da8c7116f6bd25750465e

Download Submit
\Program Files (x86)\Xccr\Duieaqqrj.jpg

Filesize
2.5MB

MD5
75966a405949eae5026d223e4e89823f

SHA1
aa4cef74b8c4ada5dc96d4e67896ec1caef21be7

SHA256
947ce1eab916053db5a3ef95cb88ab0a8964da63d1f2a57a6fe88043322b6d4e

SHA512
d4bdbddb3721429b549a766cbee61080637e165a4a27244acf2bf628832c97692c54be392165e710174d3dac56ce5105d7b455027caf82956f3d51202ec58c16

Download Submit