gh0strat | 17fbfee0cd6f164786c1b90fba254a776edf1b917ba7e27484600b70fac949c9

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF天空VIP V7.8版 8.29 日破解版/天空vip.exe
Size

1.3MB
MD5

27f4e7a15d2a4624eb6f3adabd70e97d
SHA1

9c2eafe637e33fd260cee1d65f3d7a113256c7f6
SHA256

d49ab1f371ffc533a82826611c042a83458f49a82b3a57e35e5cea8b15aca98b
SHA512

3055a4293578b346fe3c83d161285b4f78cd13a586f0e91231cf0c09aa3b3e2563577733eddb6381ce126f0a5a0120e4bbd1eb8522bf3e8860d24ac65e29637c
SSDEEP

24576:3ZIJ8lG4o3PE+WGEky00Eyb/LOh7FTVLYyMrc7LcvOrZfJoM0FQm9NsWTVVRuxqL:9lG4ofRC00Eyja7jYmLvoM0z7uxSd

Score

10^/10

gh0strat discovery rat upx

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023bbb-4.dat	family_gh0strat
behavioral2/files/0x0006000000022aec-77.dat	family_gh0strat
behavioral2/files/0x000300000001e726-81.dat	family_gh0strat
behavioral2/memory/408-85-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4688-90-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4984-95-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	天空vip.exe

Executes dropped EXE 3 IoCs

pid	Process
5036	server.exe
2364	天空vip.exe
2996	erpxyctmuh

Loads dropped DLL 3 IoCs

pid	Process
408	svchost.exe
4688	svchost.exe
4984	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ibbnrihqky	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ikpgaljoxu	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\isdahommkp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2364-45-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-62-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-72-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-73-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-70-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-68-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-66-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-64-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-60-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-58-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-56-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-55-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-51-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-49-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-44-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-40-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-37-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-29-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-27-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-26-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-25-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-24-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/2364-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3172	408	WerFault.exe	94
1824	4688	WerFault.exe	99
4884	4984	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	天空vip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	天空vip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erpxyctmuh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: 33	2364	天空vip.exe
Token: SeIncBasePriorityPrivilege	2364	天空vip.exe
Token: 33	2364	天空vip.exe
Token: SeIncBasePriorityPrivilege	2364	天空vip.exe
Token: 33	2364	天空vip.exe
Token: SeIncBasePriorityPrivilege	2364	天空vip.exe
Token: 33	2364	天空vip.exe
Token: SeIncBasePriorityPrivilege	2364	天空vip.exe
Token: 33	2364	天空vip.exe
Token: SeIncBasePriorityPrivilege	2364	天空vip.exe
Token: SeRestorePrivilege	2996	erpxyctmuh
Token: SeBackupPrivilege	2996	erpxyctmuh
Token: SeBackupPrivilege	2996	erpxyctmuh
Token: SeRestorePrivilege	2996	erpxyctmuh
Token: SeBackupPrivilege	408	svchost.exe
Token: SeRestorePrivilege	408	svchost.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeSecurityPrivilege	408	svchost.exe
Token: SeSecurityPrivilege	408	svchost.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeSecurityPrivilege	408	svchost.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeSecurityPrivilege	408	svchost.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeRestorePrivilege	408	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeRestorePrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeSecurityPrivilege	4688	svchost.exe
Token: SeSecurityPrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeSecurityPrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeSecurityPrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4688	svchost.exe
Token: SeRestorePrivilege	4688	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeRestorePrivilege	4984	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeSecurityPrivilege	4984	svchost.exe
Token: SeSecurityPrivilege	4984	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeSecurityPrivilege	4984	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeSecurityPrivilege	4984	svchost.exe
Token: SeBackupPrivilege	4984	svchost.exe
Token: SeRestorePrivilege	4984	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2364	天空vip.exe
2364	天空vip.exe
2364	天空vip.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 5036	4676	天空vip.exe	84
PID 4676 wrote to memory of 5036	4676	天空vip.exe	84
PID 4676 wrote to memory of 5036	4676	天空vip.exe	84
PID 4676 wrote to memory of 2364	4676	天空vip.exe	85
PID 4676 wrote to memory of 2364	4676	天空vip.exe	85
PID 4676 wrote to memory of 2364	4676	天空vip.exe	85
PID 5036 wrote to memory of 2996	5036	server.exe	89
PID 5036 wrote to memory of 2996	5036	server.exe	89
PID 5036 wrote to memory of 2996	5036	server.exe	89

C:\Users\Admin\AppData\Local\Temp\CF天空VIP V7.8版 8.29 日破解版\天空vip.exe
"C:\Users\Admin\AppData\Local\Temp\CF天空VIP V7.8版 8.29 日破解版\天空vip.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - \??\c:\users\admin\appdata\local\erpxyctmuh
    "C:\Users\Admin\AppData\Local\Temp\server.exe" a -sc:\users\admin\appdata\local\temp\server.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Users\Admin\AppData\Local\Temp\天空vip.exe
  "C:\Users\Admin\AppData\Local\Temp\天空vip.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 840
  2⤵
  - Program crash
  PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 408 -ip 408
1⤵
PID:2240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1100
  2⤵
  - Program crash
  PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4688 -ip 4688
1⤵
PID:3096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 748
  2⤵
  - Program crash
  PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4984 -ip 4984
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
196KB

MD5
6143117050965152ba482b72c75768fb

SHA1
c13234982f9818b6679c56e24b13c181deee417b

SHA256
da66601f0b0b62302f0f4b99df958ac417f6d271715afaebf8313154a8059175

SHA512
52a8f542ab52725c4f3c6b014a36164691af9b5a95f72c4a35bcc91c90ebff825417a28a1a4015bcb684f3a79623e0bfaddf7ed9e4ba134c3f702aacaf17d51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\天空vip.exe

Filesize
2.1MB

MD5
728080054e4108c4244e9d240c1bbc99

SHA1
8d60c0102a534695c58ab4e738bf24772c2d90ae

SHA256
d3e00e23521c92e28b19d7c77a866eb531a45c03297dd275808a632117771b04

SHA512
40f8823dce900383df2be43969ad161631d1a6ae7b57d7330453e743cfc9ff620fec718a992982ba9e070324e3a8fe3daa69e4f33a86d62feaa82c83cd193efd

Download Submit
C:\Users\Admin\AppData\Local\erpxyctmuh

Filesize
24.6MB

MD5
b9ba4923626556b2352e318ba785663b

SHA1
f08ab221c6e3fb6b1345af69b1d3c14bb2f90b8d

SHA256
7b7fa76ef6b494d4facc5f028de16d87d6a244ec411f2bdeaa014c86f5883ae5

SHA512
15fc5ddc3f2cfd965b22c8b8b86da018d7f2091b704a1a29d1c194f559bb3ea7498f01fbc96297638aa72fb21420eabdbc6fe0b1d23e91e911f06159cceadfe6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
88e102f9ae26a9ba5c44fbada9d2ad7e

SHA1
58fa41ecb2bbafae1bc2a12282ef06e43dbd79ac

SHA256
8fb5a7ebf59bc094cc3cb333076a9e83aa72c918f48fdf2dd9602eb3a9a89930

SHA512
4e962dc0bb0331f00a9754b790f09b64b919e211acb72671db5f8bf48e46a3b085065a4e3f3d87b4d6c519335302897ec0c0a1cc1fe308e64437e584e71b037c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
817df372e6167ddaafd933c84aae31e2

SHA1
b1a131b4cd36ccbcad3a1c90bbbd47c493d66c37

SHA256
390f986b44dbfd1e73ae855739ce02995b1b8ef60d0875a70adf3db83e70701c

SHA512
5d8085c5823bf1831abef7976f12b823dc0b74fe4908483dd404a3bf922c9992108a449bd21524fa334c7ec0f1cb2675ea4e0145a5124e081e052fedcf924e58

Download Submit
\??\c:\programdata\drm\%sessionname%\jpdqf.cc3

Filesize
19.1MB

MD5
ddfe3287f9b35341e458e9c73e1a99b7

SHA1
bf55b1f93225e404bba63f1a50c9f576d2251742

SHA256
7c94f35e288665d61025bf9ae514e800ce0d5962151fae6a92674f7c0c6ee1a7

SHA512
5dc5bc78f1e41e60afbde6f75866f806496aaabb83194fe1f68cd002b96f809df42e6ff10e52ab771ac936bdb145d6b5f9e1af2f9042f1ba240c015f3457e1b7

Download Submit
memory/408-85-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/408-83-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/2364-40-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-26-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-60-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-58-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-56-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-55-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-51-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-49-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-44-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-66-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-37-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-29-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-27-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-64-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-25-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-24-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-68-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-70-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-73-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-72-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-45-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2364-62-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4688-90-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4688-87-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/4984-92-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/4984-95-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download