gh0strat | d390da62f1e8d55a5ebbb805bce89ba3036d05950684a1ac3e57ef011d08b31a

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 04:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

system.exe
Size

14.2MB
MD5

b79c7a3ce694f09a0b4aaa70a4c9fd29
SHA1

3764f7d52a7e6524aee9d37318ee17320aeceede
SHA256

d390da62f1e8d55a5ebbb805bce89ba3036d05950684a1ac3e57ef011d08b31a
SHA512

3b9c2174af3de3c3e749b6a6df79d43634ae72b42f145452ad8d67a7afa99e06a474e7cbba30279f1915ba3bc926ed5700552baa7a530e90c5ec553721ba35b4
SSDEEP

393216:0HcgjmZZqbPmYRQK7+TvFDbQlNvoNG31QF7+okgc:GjmXqbrRQRvFDbKB1Iqx

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

18.143.169.29

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2480-153-0x0000000003830000-0x0000000003846000-memory.dmp	family_gh0strat
behavioral1/memory/2480-154-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 39 IoCs

pid	Process
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe
2480	system.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2480	1676	system.exe	28
PID 1676 wrote to memory of 2480	1676	system.exe	28
PID 1676 wrote to memory of 2480	1676	system.exe	28
PID 1676 wrote to memory of 2480	1676	system.exe	28

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Loads dropped DLL
  PID:2480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Cipher\_Salsa20.pyd

Filesize
10KB

MD5
cb9e65d1d021cfb12c65c50bf80daf5c

SHA1
a7d94737e8c52f868960799581f397e1427e47cd

SHA256
8611ab59513020bb21528d604bd168b2bbbd4a87a093ce3502b8221d9e36adfc

SHA512
5c0076aafd67eedc85095c1eed6407a778bcfdacbd42a15ee87037c20e15d556c2dc8bb71c191c82d4d3158a95c7bd771f0e36459563851f56f77d1bc4dd34a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Cipher\_raw_cbc.pyd

Filesize
9KB

MD5
f2e41f7fa11ead634dc262a6eddd19e8

SHA1
64017a83607bd8fad9047160fbf362c484f994df

SHA256
b6d80a0833306f7182f6d73059e7340bbf7879f5b515194ec4ff59d423557a7d

SHA512
086f0e68b401def52d1d6f2ce1f84481c61a003f82c80be04a207754d4abeb13b9e4eb714a949009280c2d6f3fde10ca835a88b3b8dba3597780fbf3e378a870

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
40da301b2dbb903a6d0f269e02b74c01

SHA1
f21e443aabee71f24247939bd2facd73a1281ea5

SHA256
1d6a5ca1cfb202b6588fe34461a53ac07ef3dc1d3883a44f989f70e44a19b9b1

SHA512
98b73ed15ce74f8a5c8ac4cbcc090afe4f769f8e5c37aa47b2728d08f376ae206507fbf78b84653b90a6c3ca81ccb533fa2ebb298148501eb65f72b53cbdaab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Cipher\_raw_ctr.pyd

Filesize
11KB

MD5
486e327a3ce0ac5572b56d020d5aa8ef

SHA1
ec3ff56ae79c4af838d698c3bbb7ac14ed3ad38c

SHA256
0a7aed1d4299ab5d05c4ab980eba8c745046ef58f4b71a11eb49403a20d969b4

SHA512
85cf216418faff1055aa93c527991791ee639e1d1646be3511b1b52d98695cfc35e0ad34f195d205e676f2325104d1190afed884dad77a1a2d74e9cc220d3280

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Cipher\_raw_ecb.pyd

Filesize
8KB

MD5
3970c52465d267d2692c4ab1becbe436

SHA1
08559677f1d8d91616c09c206d3da44b69d740f4

SHA256
da4c8c8ffa7238d9650651781626ff04582744d5b6a00d846aa80b5e9df36e7d

SHA512
d7d3ad7982691c37c1779afa1b3ce40c9e898f9b9b0aceccc58bd587e122ece9783234884c809ea101dfbaddaf297e0e7ca51eb0d46f1cb496d909ea215e2e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Cipher\_raw_ofb.pyd

Filesize
9KB

MD5
e317185ecb97dc7a2f593af9f560ebe4

SHA1
6464275d8b01caa9ece19db72e7830d6d42f7b40

SHA256
a848e7259c073749ff0ea33b93d55ea2a3c1fba6360f0d88eed6f47420fde6b6

SHA512
87d6a825ab55e760dc2a40d5f4379c20d6f3cf055953f9f759e7f6e4702382714a65dd8c9acbc18803dee9bd87dd81af477f0825ec4608eab3c1625f6843000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Hash\_BLAKE2s.pyd

Filesize
11KB

MD5
48e08209729fd94b37b95b035d2bd181

SHA1
0df8e560290e36888691ff5750f3802a58687fa1

SHA256
1dbae6101bbeb5aaab8790536fc6a824c979c5c5e19f16a73aa8853ff3cf1c0a

SHA512
8502d032d030b79aae62f2a45222757cdfa721ec8e350c1e5da66a5d561c675f72eb149f9772379cc657f6b6c2ee3d4d57f1660eeb58bcae77be038060697028

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Hash\_SHA1.pyd

Filesize
16KB

MD5
e432e1e5ad35f45dc34cd034ccaed111

SHA1
9ca70728b955c5d0ff8c6c3871d80946a259d603

SHA256
679ccf793d3d9ef4f0b4b8647f022da4f40847d3084a4d84441cfbefbba37c6f

SHA512
3b7b313313b81965384f036cdec7145ca0ac67f5c8ad8dab60e4710cb8348314bd8da1baf9982d4b0bad378b1089a1d5f5f3ecacf0ecb0cf8412f2f4993baf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Hash\_SHA256.pyd

Filesize
18KB

MD5
dfe083d26d047bec3349c6345db1afa5

SHA1
1c02feea790456083ee4acdd4263f84b8a920ccd

SHA256
3c82db1bcce7bcbe4cccd6716f92b900957d279afc7f7a2a59523a40d3009617

SHA512
542baabfc90d905a67f2d62b1fd27a0053145d5f532edb1cbb005258edc72f0d448570f513aa5d8108857727966e28553741287073032a35b9e6e3787cdb4fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Protocol\_scrypt.pyd

Filesize
9KB

MD5
05969a7400a260e57f2dad65544867a4

SHA1
4ae65e8f97d7ab71c5729555c3c92cea1af969ec

SHA256
427c831901265053c4f7ae53b7b60078a0a70381d6ea050ed0944556c396eae8

SHA512
9984dba0defc3ef23ab5fdd0b311ecea6eaa0ba07d8cd9a2cbf6fc7f47d8764110b8a9a2c4f05fe1beddbd54f604e2f7a659c73f38767c5b3894298e2e98022b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Util\_cpuid_c.pyd

Filesize
8KB

MD5
e198efebb927979bc481f8b109f64c19

SHA1
9ef5f3ddfa2dbd72dd5f94d1ceb911ca1e446cc6

SHA256
0c75e88efd4158d687a410f7318b6ce79036c4a419a538ba20e86bebc750c72b

SHA512
5bd60a98f8c49bfbc1f30bbba62bd2216fad83dd13b4167b0ef24f7febfc2a03ff189c3d4754c49798970bcc21f1e9871de61b85a7dd8498538bbb6590c81bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\Crypto\Util\_strxor.pyd

Filesize
8KB

MD5
1b6ab07c1ea3f1a5f28db01750ac150f

SHA1
f477f97925c51bbb4e0de498700e4589beb88f51

SHA256
08558063c68b9a3c5006f5d78852ecb6caf6a246cf268e23725df2ddf7b7f67b

SHA512
695b5c48d922e66bfaf1518623e7cfa68f8bd0909f310fd2a494d9db13dad34d2c6a9bf23294a5c6990ca4ebac2bd09d50d5b0e31bd162a7337cc04a9aa8a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\VCRUNTIME140.dll

Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_asyncio.pyd

Filesize
54KB

MD5
4e406cbfbfb77d6155b814e9f344165c

SHA1
8eddac97fe2e3dccc9d466c5d70d572ddeccd4ae

SHA256
47998cdec5d134dd351947d94ad5ca5a234130d22dff7dae1a12b8c06daf2891

SHA512
9519d3d729cb49bbf9b6889a096b2b6e2871a4ddb767b946f426871d89031aeb9bb993eff4add27909620a2647293dd59c4fba0e245e62eb62de04eb1615ddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_bz2.pyd

Filesize
72KB

MD5
1c7f3f37a067019b7926c0f92f3a3aa7

SHA1
ab6562aaa8cfa2dd49c1779a6374cecaf0e0d151

SHA256
bbc7f102b547180ea8ca5ff496f1bd419bfefd360be15610ae6b08837076f5dc

SHA512
840b095cdbb09b20f5d6db9962f4769734e0be425c9f094571df0df2d28888708072952792faded660c3e8f3db2513b6b42032e18cc681d909993fc6500b3e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_cffi_backend.cp38-win32.pyd

Filesize
151KB

MD5
0430b925af08c2a400c9cdf6749215ca

SHA1
e5d3876c057edbe0f3f7da99bef49be5dc1e6b4e

SHA256
5e19921801974d6848952d982eac32e6f1be9f957e128c9e4c7e75b1ab091ad4

SHA512
864cf27f74f75abfdbe9a17b76ed5dec62f2f82f3bafafa7a2403e5e37a04866951d83ab2683e3f5f0226d70ef8c4cc415296128684b94b916ce984114894b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_ctypes.pyd

Filesize
109KB

MD5
adad459a275b619f700d52a0f9470131

SHA1
632ef3a58fdfe15856a7102b3c3cf96ad9b17334

SHA256
2695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4

SHA512
3f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_decimal.pyd

Filesize
220KB

MD5
7bc3e402069caa8afb04f966e6f2b1cf

SHA1
8c0f9a0f189ff2f5a6a6c6a1ac8c2cf72afcb3ae

SHA256
14a59911e349064e4be60dcbf3a0e60dc0f4c0eee2a406b69c9a24ddee3b60ab

SHA512
bd74e6ecbda0e77c3665eb5dbd64a7f6194bcdcff838b9bb1bbeb1367c53491d41c0971602a14d2b4e615b6822f71382b9fe051c3be17464befa8dcf0f884ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_hashlib.pyd

Filesize
36KB

MD5
aaa99ffb90ec5985be0face4f0a40892

SHA1
0ad00c83ff86d7cd4694f2786034282386a39c38

SHA256
b118b6ef5486a65c41fdf049ef3c30d90f39097b5ef4c0b9f61824acfde50b6a

SHA512
e9df4a5480910172ec18e6de2f09eb83152db968dd974bf2e552de2349caa8e66f82110fdf511c7f3dd8436c03212f66d6720bb71306bb811392baed92c78b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_lzma.pyd

Filesize
181KB

MD5
280c3a7c8c5e5282ec8e746ae685ff54

SHA1
5d25f3bb03fa434d35b7b047892f4849e0596542

SHA256
c6e30f1139d4f2b1ec7a5aca8563d6f946ee6ffa6a90a4eb066cd867d3384c39

SHA512
f4185ec91a2e51b703263a6c9796ad589349434a82170370efacef55fde8a885c0c7cf10eff20b61910c569583887ac2e0384847cd724aabc052be2861fafb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_multiprocessing.pyd

Filesize
24KB

MD5
f5bb0b71862c1011de7660e5e5721846

SHA1
4a3101719fa36f5b9165ef56af41208dfe3dc0e9

SHA256
bc2e196bfb21a3f57ca86e96127b1246d47cdaeeb99f6239af38165bf42b5117

SHA512
c794681be1da1acd87555c4b9550cc5f2cefa1b8458becb084aee034c2d7be90a44a4aeb0c0778560d16c80bb6c1e05c91fff208e0e550b06c7d7f46902b9e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_overlapped.pyd

Filesize
37KB

MD5
54c6149ab1c0a621b22be4f4046386b6

SHA1
1d2e8da6a76e6d2ba0b8fb70954d06fdef1ebc1e

SHA256
44d896e8aa8887bad398b03dfdb8cf72aa3c0d87730a2ac0d92763722a426a7f

SHA512
61e0c6571f90856baca950e9aac0835a0726e41e516fc3728c81117d9ee248cf0ab3d47c70b34906cbfd9e37583049b7307d53a8981361bdea1095e3f9271896

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_queue.pyd

Filesize
24KB

MD5
8a21a5ccb136e6c265975ce1e91cb870

SHA1
c6b1ec3deac2e8e091679beda44f896e9fabea06

SHA256
7f43dfb5ba9f4afa82630cd3e234ede0596abe3584f107b9855747ef1cde9acc

SHA512
a215f1674a0ce89324e82e88245201ce5c0bb56193b732527a8f8ca72377dce8b2f1dead380fcab070182eb58c43cf55c2b4c26588e856c1f390a953dbc9de0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_socket.pyd

Filesize
67KB

MD5
e55a5618e14a01bac452b8399e281d0d

SHA1
feb071df789f02cdfc0059dfbea1e2394bfd08ef

SHA256
04e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c

SHA512
1b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\_ssl.pyd

Filesize
108KB

MD5
8a2eb91cbd839da8813bb6dc5bd48178

SHA1
f4a2aabcd226385e92ee78db753544bb9287556e

SHA256
5ad15dbc726d002d356bfd7e6a077f8568fee463b7ce5f71c33a04b2e11558f1

SHA512
dce0c6cf347516f989d3292d9f9541f585b6f04e04fb8a83bef6b6195310033c01588c129db006677ed2f0971634c84d79a5627db51b21de4e1b6e4f75a32a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\base_library.zip

Filesize
822KB

MD5
70d97ac258804706c0d8e60245886bf5

SHA1
81c04603b6ee0dff9e4d5c29d8da313341a1b90d

SHA256
b0226d2e2a68b2c0c2d4dfa64270576ed74cc0f44965a1f763f9922d2e7a0b4f

SHA512
cdeecc71f4cb7d2a85aa5ae273fe522a2719680a15ed80a837311d441d36478f883c8f5a1510aadf8300e5402474a55aa65a9b71266d71eacd4b1c6ef634985c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\libcrypto-1_1.dll

Filesize
2.1MB

MD5
67c1ea1b655dbb8989a55e146761c202

SHA1
aecc6573b0e28f59ea8fdd01191621dda6f228ed

SHA256
541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a

SHA512
1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\libssl-1_1.dll

Filesize
524KB

MD5
9417e0d677e0f8b08398fcd57dccbafd

SHA1
569e82788ff8206e3a43c8653d6421d456ff2a68

SHA256
db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f

SHA512
b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\pyexpat.pyd

Filesize
163KB

MD5
e50093c4196ac6c3bd293789248477dd

SHA1
fedc09eaa3c938461f96e8b3476c5239ea93a3fe

SHA256
a8b218f57e82b57184b00c2ccc9cfd353a84ead0e777037a605427b4907fc69b

SHA512
f5c05dbcb9dd4d5c0dc96f3af63023d6ee4760e0e55b839a673411fddd6a63896dd1aa4f4f2985e2853d8e54cc3ec61c83ceda2cffe849baa74221c477bc3992

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\python3.dll

Filesize
57KB

MD5
ba32910ffd8a530fa69bc8f37828a6fd

SHA1
7bb0921ac27708082667fa3be05f08b6817cef7e

SHA256
7fa7fef857b5787c355ecd8d1bec5eba28a5bc98f95dcc5130aebcfcfaa20bf4

SHA512
a3c254979281b60ff11534e5a1feb2448c302eabdb26c668362b5b3b65a10c91fb2aad611cc93526c209473cb3501a280a7aef21833c5960e8d31449b3a71c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\python38.dll

Filesize
3.7MB

MD5
d375b654850fa100d4a8d98401c1407f

SHA1
ed10c825535e8605b67bacd48f3fcecf978a3fee

SHA256
527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d

SHA512
fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\select.pyd

Filesize
23KB

MD5
39f61824d4e3d4be2d938a827bae18eb

SHA1
b7614cfbcdbd55ef1e4e8266722088d51ae102b8

SHA256
c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92

SHA512
9a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16762\unicodedata.pyd

Filesize
1.0MB

MD5
02f62469bbfcb93a8448f39beac21bbc

SHA1
e9dba509aac97f51916fe705af33a88a821f841a

SHA256
336b4ef6f59b5dba7ecf9348d9c1c67eb2897a76f21e31795f72035c1c96a1f5

SHA512
54c4f54614116f16dbf3437bdbdb01fbad45fda38b7dbc32bb15fc7c35ac2dd44d09a9a6d883769fd2b7f194a9578c94890167987312b1c20c0912dae1a01a9b

Download Submit
memory/2480-153-0x0000000003830000-0x0000000003846000-memory.dmp

Filesize
88KB

Download
memory/2480-154-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads