gh0strat | be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a.exe
Size

1.0MB
MD5

1928e5db4bd1c2946558c57a934f0b59
SHA1

193f26fce289fa13ec0171d452177a7e6bae15ac
SHA256

be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a
SHA512

43764e079014127ef3bc4796269dd8f9831f0f07de1094ac1fd53c01675f5eb587001d567d18000886b3f2be367fea925ea95bf9fd8196446ca11f1347fbb5e9
SSDEEP

12288:M+vAjoEu/F4sv9aiiQ3DH4MQycRJ9DZdRfImxzXJ:M+vA8ElsvUiiQ3DY9RRDxfImxzX

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4060-3-0x0000000010000000-0x000000001008E000-memory.dmp	family_gh0strat
behavioral2/memory/2340-22-0x0000000010000000-0x000000001008E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Imcycq.exe

Executes dropped EXE 2 IoCs

pid	Process
1820	Imcycq.exe
2340	Imcycq.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Imcycq.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\Imcycq.exe	be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a.exe
File opened for modification	C:\windows\Imcycq.exe	be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imcycq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imcycq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2340	Imcycq.exe
Token: SeIncBasePriorityPrivilege	2340	Imcycq.exe
Token: 33	2340	Imcycq.exe
Token: SeIncBasePriorityPrivilege	2340	Imcycq.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2340	1820	Imcycq.exe	87
PID 1820 wrote to memory of 2340	1820	Imcycq.exe	87
PID 1820 wrote to memory of 2340	1820	Imcycq.exe	87

C:\Users\Admin\AppData\Local\Temp\be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a.exe
"C:\Users\Admin\AppData\Local\Temp\be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4060

C:\windows\Imcycq.exe
C:\windows\Imcycq.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\windows\Imcycq.exe
  C:\windows\Imcycq.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Imcycq.exe

Filesize
1.0MB

MD5
1928e5db4bd1c2946558c57a934f0b59

SHA1
193f26fce289fa13ec0171d452177a7e6bae15ac

SHA256
be567cccc943f4a486fed008ca3479b489eb60822485a1d179c5522a2d694c6a

SHA512
43764e079014127ef3bc4796269dd8f9831f0f07de1094ac1fd53c01675f5eb587001d567d18000886b3f2be367fea925ea95bf9fd8196446ca11f1347fbb5e9

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
19B

MD5
fe9af7587d65300338177538aa72f924

SHA1
c8ae231d3ae13f9db8b9f16e188e951e7cb76377

SHA256
556243e27a369fbdff1ecfb413b7540f1eb4e6becba03b76d221443b0d022351

SHA512
3bffe70c5daea4d6be501278be067bbc02e7ac211fef33629b5447ef498d49af7cbe25f994e33c2835bd9963749c07edc789fddd918e1c7739b77422ff57cf3e

Download Submit
C:\input.txt

Filesize
4B

MD5
f7696a9b362ac5a51c3dc8f098b73923

SHA1
a6a0845258a40575703021e5244ff9c70838a23b

SHA256
5a0b83e19c5750eed6d8d46cb858d15c956a657093c08afa53133c0fbe5f04fb

SHA512
3ae0f24c4f1fe6593f20f92f251c54c1d10e6f576340c9ae31a46d50cf3b49c364d1a0ab6b9d5702cb057077db52a48f192b491f142315311629b9ad7cc11fdb

Download Submit
memory/2340-22-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download
memory/4060-3-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download