gh0strat | 789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a.dll
Size

10.0MB
MD5

2d4917e38640c3edce8abc2eed666556
SHA1

8839af77fcf612375d063e97e57ffbd2c12d468a
SHA256

789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a
SHA512

0405c00c5cc8aeae6b77a23ca461f35474850c9251ad5bb5a2f104f8d408b53e76fa8aa30660573a717c3799f27ca0cb2a6d7d6a9fbfd71e1249ed0695575cea
SSDEEP

3072:iJO8w5IR5QgyTYOiFTZCqKDWQimUXTK5Vjz/GQcWRMIP0M:oO8og8YOuCj6QwDcja0RL

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/3532-0-0x0000000010000000-0x0000000010025000-memory.dmp	family_gh0strat
behavioral2/files/0x0011000000023bb0-4.dat	family_gh0strat
behavioral2/memory/3352-6-0x0000000010000000-0x0000000010025000-memory.dmp	family_gh0strat
behavioral2/memory/3352-7-0x0000000010000000-0x0000000010025000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Loads dropped DLL 1 IoCs

pid	Process
3352	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\avicap.log	rundll32.exe
File created	C:\Windows\system\avicap.log	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3532	rundll32.exe
Token: SeRestorePrivilege	3532	rundll32.exe
Token: SeBackupPrivilege	3532	rundll32.exe
Token: SeRestorePrivilege	3532	rundll32.exe
Token: SeBackupPrivilege	3532	rundll32.exe
Token: SeRestorePrivilege	3532	rundll32.exe
Token: SeBackupPrivilege	3532	rundll32.exe
Token: SeRestorePrivilege	3532	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3532	2140	rundll32.exe	86
PID 2140 wrote to memory of 3532	2140	rundll32.exe	86
PID 2140 wrote to memory of 3532	2140	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\789d161b8b1018061a29bcb61d8e20a8c86417e62aaefab4fc818adb98deec9a.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\system\avicap.log

Filesize
16.7MB

MD5
63155c33cc3347a3b07b5831db172c80

SHA1
76bd6f857253c1c2c2c53d8cd8a51613ff5e3daa

SHA256
cb0b95fe4d38d55f0e959ccffef6c95545bdd4875ba890e26f97d3d6842a9437

SHA512
b4496c8d94772dcc625bb772a055462a24853c2b722f262ce1cd71af7959982d302014d3ad7efe7788a39878f38c9492acac22ad60fbd5d270163b62ecff662e

Download Submit
memory/3352-6-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/3352-7-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/3532-0-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download