gh0strat | 7d411b417c49604305ce9661da23b49a3a3e1ed1bd9d4c5986b4bf5e5f6da5e9

Analysis

max time kernel
120s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07/03/2025, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libcef.exe
Size

440KB
MD5

71efcad545b463046639217a13374130
SHA1

6dab64e59b94adb4a76984e0b8364d352b2566ec
SHA256

7d411b417c49604305ce9661da23b49a3a3e1ed1bd9d4c5986b4bf5e5f6da5e9
SHA512

b9292d619dc2638a1df252371b100bc25ea52eba0316577cb299c7456875d629e2f8de4abe99cc77e17479665b50d1627342a712f7b7350a150f4628d27f99f2
SSDEEP

6144:Xbwen1gUU1lzgAyWMZ7qxHDP7DBFi6PWgIlDP6FPm/h4VSdcn+3Y1tMmbWs:XbweCa1qpT2FGm/hsf+3Y12wW

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4500-0-0x0000000010000000-0x0000000010057000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libcef.exe"	libcef.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	libcef.exe
File opened (read-only)	\??\W:	libcef.exe
File opened (read-only)	\??\K:	libcef.exe
File opened (read-only)	\??\R:	libcef.exe
File opened (read-only)	\??\Z:	libcef.exe
File opened (read-only)	\??\H:	libcef.exe
File opened (read-only)	\??\J:	libcef.exe
File opened (read-only)	\??\Q:	libcef.exe
File opened (read-only)	\??\T:	libcef.exe
File opened (read-only)	\??\X:	libcef.exe
File opened (read-only)	\??\I:	libcef.exe
File opened (read-only)	\??\L:	libcef.exe
File opened (read-only)	\??\M:	libcef.exe
File opened (read-only)	\??\S:	libcef.exe
File opened (read-only)	\??\U:	libcef.exe
File opened (read-only)	\??\Y:	libcef.exe
File opened (read-only)	\??\B:	libcef.exe
File opened (read-only)	\??\D:	libcef.exe
File opened (read-only)	\??\G:	libcef.exe
File opened (read-only)	\??\N:	libcef.exe
File opened (read-only)	\??\O:	libcef.exe
File opened (read-only)	\??\P:	libcef.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	libcef.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	libcef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	libcef.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe
4500	libcef.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4500	libcef.exe
Token: SeIncBasePriorityPrivilege	4500	libcef.exe
Token: 33	4500	libcef.exe
Token: SeIncBasePriorityPrivilege	4500	libcef.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4500	libcef.exe
4500	libcef.exe

C:\Users\Admin\AppData\Local\Temp\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\libcef.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4500