gh0strat | c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-08-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0.exe
Size

71KB
MD5

2a9d0d06d292a4cbbe4a95da4650ed54
SHA1

44c32dfae9ac971c3651adbd82c821971a5400dc
SHA256

09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
SHA512

ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
SSDEEP

1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\FileName.jpg	family_gh0strat
behavioral1/memory/2804-10-0x0000000010000000-0x0000000010013000-memory.dmp	family_gh0strat
C:\346100.dll	family_gh0strat
behavioral1/memory/2788-13-0x0000000010000000-0x0000000010013000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2788 svchost.exe
Drops file in Windows directory 2 IoCs

Processes:

0.exe

description ioc process

File opened for modification C:\Windows\FileName.jpg 0.exe
File created C:\Windows\FileName.jpg 0.exe

description	ioc	process
File opened for modification	C:\Windows\FileName.jpg	0.exe
File created	C:\Windows\FileName.jpg	0.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

0.exe

description	pid	process
Token: SeBackupPrivilege	2804	0.exe
Token: SeRestorePrivilege	2804	0.exe
Token: SeBackupPrivilege	2804	0.exe
Token: SeRestorePrivilege	2804	0.exe
Token: SeBackupPrivilege	2804	0.exe
Token: SeRestorePrivilege	2804	0.exe
Token: SeBackupPrivilege	2804	0.exe
Token: SeRestorePrivilege	2804	0.exe

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\346100.dll
Filesize
64KB

MD5
45dc749351fd65d71da89ca2ed2766cb

SHA1
e080faf81157b7f867cb56938c5e579c206af9b9

SHA256
391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25

SHA512
7e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74

Download Submit
C:\Windows\FileName.jpg
Filesize
17.0MB

MD5
8a8a086783e838a73393e53959901b7c

SHA1
44430693079ba6c91ece14a3c5494182b86e37b8

SHA256
e1b537f3b84fe8bdcb0c6d2db380699df31a638141a1461b36f89d8caa391224

SHA512
c01a145fc1262fd6bbd90db83e87484bf149c81d3d3e1f091197d9f676a2d17e6dad854f5bbafe35cca68c6a60ef7af0f4567eb8d8232b54459e0a5b482b3e11

Download Submit
\??\c:\NT_Path.jpg
Filesize
53B

MD5
4ddae4616240724a85d58168c8682187

SHA1
4810b6fa68a263dff22c6d265f04f0f3599a6097

SHA256
0976b555a884a79d4cd4f57bf1991e7519bb6a5d60d866b1e8a656b8c3c91b95

SHA512
5dbbe037fe6a55c22d69d49b94abb37232c6c3e05710b160ca71c72c124889afea28e036948fe7b67504384af1d5688321fd981071a2e9c95337f69bc78e462a

Download Submit
memory/2788-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2804-0-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2804-10-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download