gh0strat | 8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe
Size

1.4MB
MD5

2941256472314ccf1d6670de4bb14b80
SHA1

3fac0c56e5a90d5577a8b5a56f0477a13fd139c6
SHA256

8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07e
SHA512

c8615ffb538c087af763ba598250667f300c765b2eca1d8c18cc8ff68732eb50193ed6b07a0a7ba3215c53777476947d670089b797f979ff667188167cb0df39
SSDEEP

6144:9kyLEbWaR5Cc78p6Y8+HkkrhhhhhhhhhhhhhhhZRSMH:KUaWaR5vYpVrhhhhhhhhhhhhhhh9

Score

10^/10

gh0strat discovery rat

Malware Config

Extracted

Family

gh0strat

8.134.216.162

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2596-0-0x0000000010000000-0x0000000010017000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Executes dropped EXE 2 IoCs

Processes:

Terms.exeTerms.exe

pid process

2648 Terms.exe
2628 Terms.exe

pid	process
2648	Terms.exe
2628	Terms.exe

Drops file in Program Files directory 2 IoCs

Processes:

8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe

description	ioc	process
File created	C:\Program Files (x86)\Terms.exe	8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exeTerms.exeTerms.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Terms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Terms.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exeTerms.exeTerms.exe

pid process

2596 8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe
2648 Terms.exe
2628 Terms.exe

pid	process
2596	8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe
2648	Terms.exe
2628	Terms.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Terms.exe

description	pid	process	target process
PID 2648 wrote to memory of 2628	2648	Terms.exe	Terms.exe
PID 2648 wrote to memory of 2628	2648	Terms.exe	Terms.exe
PID 2648 wrote to memory of 2628	2648	Terms.exe	Terms.exe
PID 2648 wrote to memory of 2628	2648	Terms.exe	Terms.exe

C:\Users\Admin\AppData\Local\Temp\8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe
"C:\Users\Admin\AppData\Local\Temp\8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07eN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe

Filesize
1.4MB

MD5
2941256472314ccf1d6670de4bb14b80

SHA1
3fac0c56e5a90d5577a8b5a56f0477a13fd139c6

SHA256
8d49896b282a08c503c04a27851907261c97e458717e6389e2b88fa876d8d07e

SHA512
c8615ffb538c087af763ba598250667f300c765b2eca1d8c18cc8ff68732eb50193ed6b07a0a7ba3215c53777476947d670089b797f979ff667188167cb0df39

Download Submit
memory/2596-0-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download