gh0strat | 7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
Size

12.2MB
MD5

313c6125ce2f610bdb867a161addcc81
SHA1

02185bfecc7f19658823978ff8d6083531c09bbd
SHA256

7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838
SHA512

52dd26576d45f48de92f37e87aa692cd26a1824fe17e554acdaf673914cbbaf6429bf38ef53fb2340c8d9afa4fc5ab4be8d84c2fc8006f58a1f6baff348dae43
SSDEEP

196608:MrvzibXtSA2UFrJ3Miv+364Hosu0VWY7g50N9TieHTwIHknYDToB5TICfWAyDjMJ:MKBSADJ63/cY7X2nboEfWARYQ

Score

10^/10

gh0strat discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/2724-13154-0x0000000010000000-0x0000000010191000-memory.dmp	family_gh0strat
behavioral2/memory/2724-13153-0x0000000010000000-0x0000000010191000-memory.dmp	family_gh0strat
behavioral2/memory/2724-13156-0x0000000010000000-0x0000000010191000-memory.dmp	family_gh0strat
behavioral2/memory/2724-13159-0x0000000010000000-0x0000000010191000-memory.dmp	family_gh0strat
behavioral2/memory/2724-13160-0x0000000010000000-0x0000000010191000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1656	ÉÏºÅÆ÷12.28.exe
2724	QQ.exe

Loads dropped DLL 3 IoCs

pid	Process
1656	ÉÏºÅÆ÷12.28.exe
1656	ÉÏºÅÆ÷12.28.exe
1656	ÉÏºÅÆ÷12.28.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QQ.exe"	QQ.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Base.dll	ÉÏºÅÆ÷12.28.exe
File created	C:\Windows\SysWOW64\TestLF.dll	ÉÏºÅÆ÷12.28.exe
File created	C:\Windows\SysWOW64\libeay32.dll	ÉÏºÅÆ÷12.28.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs

pid	Process
1656	ÉÏºÅÆ÷12.28.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe
2724	QQ.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1656-15-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-24-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-26-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-61-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-60-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-59-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-58-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-56-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-54-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-52-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-50-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-46-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-44-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-42-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-38-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-36-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-34-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-32-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-30-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-28-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-22-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-20-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-17-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-48-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-40-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-18-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/1656-16-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx
behavioral2/memory/2724-13154-0x0000000010000000-0x0000000010191000-memory.dmp	upx
behavioral2/memory/2724-13153-0x0000000010000000-0x0000000010191000-memory.dmp	upx
behavioral2/memory/2724-13151-0x0000000010000000-0x0000000010191000-memory.dmp	upx
behavioral2/memory/2724-13156-0x0000000010000000-0x0000000010191000-memory.dmp	upx
behavioral2/memory/2724-13159-0x0000000010000000-0x0000000010191000-memory.dmp	upx
behavioral2/memory/2724-13160-0x0000000010000000-0x0000000010191000-memory.dmp	upx
behavioral2/memory/1656-13166-0x0000000003BA0000-0x0000000003BDE000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÉÏºÅÆ÷12.28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	ÉÏºÅÆ÷12.28.exe
1656	ÉÏºÅÆ÷12.28.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	QQ.exe
Token: 33	2724	QQ.exe
Token: SeIncBasePriorityPrivilege	2724	QQ.exe
Token: 33	2724	QQ.exe
Token: SeIncBasePriorityPrivilege	2724	QQ.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
1656	ÉÏºÅÆ÷12.28.exe
1656	ÉÏºÅÆ÷12.28.exe
1656	ÉÏºÅÆ÷12.28.exe
1656	ÉÏºÅÆ÷12.28.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1656	1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	83
PID 1436 wrote to memory of 1656	1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	83
PID 1436 wrote to memory of 1656	1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	83
PID 1436 wrote to memory of 2724	1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	84
PID 1436 wrote to memory of 2724	1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	84
PID 1436 wrote to memory of 2724	1436	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	84

C:\Users\Admin\AppData\Local\Temp\7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
"C:\Users\Admin\AppData\Local\Temp\7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\ÉÏºÅÆ÷12.28.exe
  C:\Users\Admin\AppData\Local\Temp\ÉÏºÅÆ÷12.28.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\QQ.exe
  C:\Users\Admin\AppData\Local\Temp\QQ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Login.dll

Filesize
11.9MB

MD5
11b503094eb69c8a8285f6ed28af8ef1

SHA1
594e3c2d536bdcb5b936fe9494caf2893dbe9d07

SHA256
908fd02a45d2fa8da35010a998e3b77262a4b9ca8659df86344d414f3c66b040

SHA512
d4568977eb7f4c46118f99061dd8f9b43038d544895f36774988e09a5d9bfbafb3ff5a0e67728e6cea9c12e47928eff3143521f423eccbecd753e42acf188769

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ.exe

Filesize
1.0MB

MD5
da35f17e36bc4941d092f3e64104462b

SHA1
5c9e07329c96503382dc4247d5973e0c99080c58

SHA256
35a73589540316d2ccb4f637e5db2c13ee8c092432b2bf62a49527477ef2c949

SHA512
48f1d11f77260533432d58f33c701969524d7bb04b552830a8f8481eacf542202399bc2fe5dd8bc1a0354053114f8df7f7fc43c9a98260f176b5e8da9b7f0d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉÏºÅÆ÷12.28.exe

Filesize
10.4MB

MD5
752c8b7cdb212b24297ead70c84254da

SHA1
9de73123d26012e0ea9c94cb80418f52285e8ca2

SHA256
8001894be26eeb74852b6be647114294323d6ef737e4ec8458785b1f0f8636b6

SHA512
03c4f348d5df80cff02f4ac54b67c502c446286de25ee9c283fbf4908d596ddd14942834259666f50193c1fa68bd68fd1617be9d8eca69dbb403b1d1feb347de

Download Submit
C:\Users\Admin\Documents\CCStudio\HpSocket4C.dll

Filesize
2.8MB

MD5
4bc970a97300b1a725d44bba23d8697a

SHA1
6f1eb181153692814e038e2f851d0734646f78f8

SHA256
c9d8fb5311ae6018dc1ca72774cb7efeba5c115c827a5cfb795b3580499e323d

SHA512
03968ca876b7e584de0a1418cca1dd2036fd0b4744f86d69aee5691a42061e284f8d9577293ef3f656be332f7da5ca276f85c6393bd6d8eb7de181baec0285f8

Download Submit
memory/1656-36-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-44-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-6-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1656-15-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-24-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-26-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-61-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-60-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-67-0x0000000004240000-0x0000000004E85000-memory.dmp

Filesize
12.3MB

Download
memory/1656-72-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/1656-73-0x0000000004240000-0x0000000004E85000-memory.dmp

Filesize
12.3MB

Download
memory/1656-75-0x0000000004240000-0x0000000004E85000-memory.dmp

Filesize
12.3MB

Download
memory/1656-74-0x0000000004837000-0x0000000004C17000-memory.dmp

Filesize
3.9MB

Download
memory/1656-71-0x0000000004240000-0x0000000004E85000-memory.dmp

Filesize
12.3MB

Download
memory/1656-59-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-58-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-56-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-54-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-52-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-50-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-46-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-28-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-42-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-38-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-5-0x0000000001A60000-0x0000000001A63000-memory.dmp

Filesize
12KB

Download
memory/1656-34-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-4-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/1656-13183-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/1656-32-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-22-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-20-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-17-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-48-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-40-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-18-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-16-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-13165-0x0000000001A60000-0x0000000001A63000-memory.dmp

Filesize
12KB

Download
memory/1656-13169-0x0000000004240000-0x0000000004E85000-memory.dmp

Filesize
12.3MB

Download
memory/1656-13166-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/1656-30-0x0000000003BA0000-0x0000000003BDE000-memory.dmp

Filesize
248KB

Download
memory/2724-13170-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2724-13154-0x0000000010000000-0x0000000010191000-memory.dmp

Filesize
1.6MB

Download
memory/2724-13153-0x0000000010000000-0x0000000010191000-memory.dmp

Filesize
1.6MB

Download
memory/2724-13151-0x0000000010000000-0x0000000010191000-memory.dmp

Filesize
1.6MB

Download
memory/2724-13150-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2724-3955-0x0000000075440000-0x00000000755E0000-memory.dmp

Filesize
1.6MB

Download
memory/2724-13149-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2724-5964-0x00000000753C0000-0x000000007543A000-memory.dmp

Filesize
488KB

Download
memory/2724-81-0x00000000756D0000-0x00000000758E5000-memory.dmp

Filesize
2.1MB

Download
memory/2724-80-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2724-13160-0x0000000010000000-0x0000000010191000-memory.dmp

Filesize
1.6MB

Download
memory/2724-13156-0x0000000010000000-0x0000000010191000-memory.dmp

Filesize
1.6MB

Download
memory/2724-13159-0x0000000010000000-0x0000000010191000-memory.dmp

Filesize
1.6MB

Download