gh0strat | 44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe
Size

1.4MB
MD5

75a7defce549f51b003075db00f00b8c
SHA1

25bf5c1dcf57e249dbb36c8a966627e2ec6a6cc6
SHA256

44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898
SHA512

876d9bc44f2c581c94684f746b44a4bb5fadb25123758a7a3ee554e94047b322454eae4b996cfd886f982aaf8626b8f3f76b41217dfa8daf8d51440ba4d5ddf7
SSDEEP

12288:UkPSMdzLMPWNHftVFkRaveiBVx3JXJ3TLHvsicK4MqtU7e5oZRgkkm69XlnnfQsv:LP/dXMwxkRmqt7oZC/wnX5GKz8co

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2236-0-0x0000000010000000-0x000000001018B000-memory.dmp	family_gh0strat
behavioral1/memory/2364-17-0x0000000010000000-0x000000001018B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2196 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Euvwo.exeEuvwo.exe

pid process

1332 Euvwo.exe
2364 Euvwo.exe

pid	process
2196	cmd.exe

pid	process
1332	Euvwo.exe
2364	Euvwo.exe

Drops file in Windows directory 2 IoCs

Processes:

44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe

description	ioc	process
File opened for modification	C:\Windows\Euvwo.exe	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe
File created	C:\Windows\Euvwo.exe	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2712 PING.EXE

pid	process
2712	PING.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exeEuvwo.exeEuvwo.exe

description	pid	process
Token: SeDebugPrivilege	2236	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe
Token: SeDebugPrivilege	1332	Euvwo.exe
Token: SeDebugPrivilege	2236	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe
Token: SeIncBasePriorityPrivilege	2236	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe
Token: SeDebugPrivilege	2364	Euvwo.exe
Token: 33	2364	Euvwo.exe
Token: SeIncBasePriorityPrivilege	2364	Euvwo.exe
Token: 33	2364	Euvwo.exe
Token: SeIncBasePriorityPrivilege	2364	Euvwo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Euvwo.exe44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.execmd.exe

description	pid	process	target process
PID 1332 wrote to memory of 2364	1332	Euvwo.exe	Euvwo.exe
PID 1332 wrote to memory of 2364	1332	Euvwo.exe	Euvwo.exe
PID 1332 wrote to memory of 2364	1332	Euvwo.exe	Euvwo.exe
PID 1332 wrote to memory of 2364	1332	Euvwo.exe	Euvwo.exe
PID 2236 wrote to memory of 2196	2236	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe	cmd.exe
PID 2236 wrote to memory of 2196	2236	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe	cmd.exe
PID 2236 wrote to memory of 2196	2236	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe	cmd.exe
PID 2236 wrote to memory of 2196	2236	44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe	cmd.exe
PID 2196 wrote to memory of 2712	2196	cmd.exe	PING.EXE
PID 2196 wrote to memory of 2712	2196	cmd.exe	PING.EXE
PID 2196 wrote to memory of 2712	2196	cmd.exe	PING.EXE
PID 2196 wrote to memory of 2712	2196	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe
"C:\Users\Admin\AppData\Local\Temp\44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\44C3E4~1.EXE > nul
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2712

C:\Windows\Euvwo.exe
C:\Windows\Euvwo.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\Euvwo.exe
C:\Windows\Euvwo.exe -acsi
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Euvwo.exe

Filesize
1.4MB

MD5
75a7defce549f51b003075db00f00b8c

SHA1
25bf5c1dcf57e249dbb36c8a966627e2ec6a6cc6

SHA256
44c3e4e9bfd65d58e0dbf49a7c343794ff05cbef00266820e8e92917949e2898

SHA512
876d9bc44f2c581c94684f746b44a4bb5fadb25123758a7a3ee554e94047b322454eae4b996cfd886f982aaf8626b8f3f76b41217dfa8daf8d51440ba4d5ddf7

Download Submit
memory/2236-0-0x0000000010000000-0x000000001018B000-memory.dmp

Filesize
1.5MB

Download
memory/2364-17-0x0000000010000000-0x000000001018B000-memory.dmp

Filesize
1.5MB

Download