gh0strat | 1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Size

142KB
MD5

24a5d9f723ca5fe655db7fcc7c531c1f
SHA1

2796ec0639c086615ef70c4c9a601be0b9076ade
SHA256

1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad
SHA512

1c53dde2a7380ba78a2472824f1629eb1f19732cf713114b240d5d1126259b45473f1b6cff40f14c68d293f6da38fff3d1d0690e097b076e3644d200d2b9dc9d
SSDEEP

3072:3CaaIIf5xahjfNfpDhBis1MWVUvwLZcrH9NE:3fWHahJJhA+bUvw1cM

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001662e-5.dat	family_gh0strat
behavioral1/files/0x000c00000001662e-8.dat	family_gh0strat
behavioral1/memory/2208-9-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2836	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Oklm\Tklmnopqr.jpg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Oklm\Tklmnopqr.jpg	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeRestorePrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeBackupPrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeRestorePrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeBackupPrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeRestorePrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeBackupPrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeRestorePrivilege	2208	1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe
"C:\Users\Admin\AppData\Local\Temp\1b0c0d425712860775e13c68954bd1a0abee2b6df6afcbba759449a2daf4fcad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Oklm\Tklmnopqr.jpg

Filesize
116KB

MD5
fa5b49f46b115e42f4f201b7890ce46f

SHA1
0143d49441dbc2d98ee6aed6ccd011901209193f

SHA256
7584bc3c8ffcefa4e039df991724ba36b918924a5417243895baf9936c0ee2ad

SHA512
3b1d3e512a9659766dee1bdda7024b5cd16a8fc93d1f8d7101d097b22cfd9d37874c165b54d4292a7cc942f9cc7f09e02007f84e77bfa9a6bbab7720bd712980

Download Submit
\??\c:\NT_Path.jpg

Filesize
116B

MD5
9b5b381193cc97e590d0c4115cb28aab

SHA1
74402e21b0986918738530c1bd7097fa0319946e

SHA256
d03051768990873357249f768e4dd61fe849f55679e8960ae451930cb6dbd584

SHA512
17bac0dd03a4c58d6a181377a9cdc7fedbfde2277cfbe699ea39bcb459795c6ce2ef338d29b33d9d4acab3081c7f91aab52c76f65288710e8ddf00cc45ef5d62

Download Submit
\??\c:\users\admin\appdata\roaming\oklm\tklmnopqr.jpg

Filesize
6.7MB

MD5
6029093c6db352105326df8477f08297

SHA1
a3971a74aa9a10fb4b347092d0f4d4d00c0edfb0

SHA256
21a056677d3c659aae940b12154c9d8f9887d194211c9dc08f36e09cf0e7ef82

SHA512
8025218a05be2c1af501505105227861121f0d041bbd5ac2fdca8d2d935ffb2a44e778f1e91bac8883735dba3a93b9e67df5a490746854dfc516154f509f3ed4

Download Submit
memory/2208-9-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download