gh0strat | 9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b.exe
Size

1.0MB
MD5

a76df31724d8101889ac5b723d32f2a9
SHA1

7a19d5e7e6f65c1d78fab3f2f15ae2d0bb72b0d9
SHA256

9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b
SHA512

aa2eb53c267539c779941a1250f0e403eac982d9a625ffa9219a6b1ebc46939d657b3fd811b52e8c020e6a133c97909d148c5e729aca25bac774e96a42ace7d5
SSDEEP

12288:M+9JIICwqWRmTxyJrH0vwK8spKfUFGLIfed0cX69udCMT:M+9J2wqWRmTxSsIfUFGLIfeJdCM

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2520-3-0x0000000010000000-0x000000001008E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Gmmgxu.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	Gmmgxu.exe
708	Gmmgxu.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Gmmgxu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\Gmmgxu.exe	9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b.exe
File opened for modification	C:\windows\Gmmgxu.exe	9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgxu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgxu.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	708	Gmmgxu.exe
Token: SeIncBasePriorityPrivilege	708	Gmmgxu.exe
Token: 33	708	Gmmgxu.exe
Token: SeIncBasePriorityPrivilege	708	Gmmgxu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 708	2368	Gmmgxu.exe	32
PID 2368 wrote to memory of 708	2368	Gmmgxu.exe	32
PID 2368 wrote to memory of 708	2368	Gmmgxu.exe	32
PID 2368 wrote to memory of 708	2368	Gmmgxu.exe	32

C:\Users\Admin\AppData\Local\Temp\9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b.exe
"C:\Users\Admin\AppData\Local\Temp\9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2520

C:\windows\Gmmgxu.exe
C:\windows\Gmmgxu.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\windows\Gmmgxu.exe
  C:\windows\Gmmgxu.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Gmmgxu.exe

Filesize
1.0MB

MD5
a76df31724d8101889ac5b723d32f2a9

SHA1
7a19d5e7e6f65c1d78fab3f2f15ae2d0bb72b0d9

SHA256
9661b7225aabfc51d50e72e4d6ed90c1f2185152be6a9fa107087ab6311c039b

SHA512
aa2eb53c267539c779941a1250f0e403eac982d9a625ffa9219a6b1ebc46939d657b3fd811b52e8c020e6a133c97909d148c5e729aca25bac774e96a42ace7d5

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
19B

MD5
fe9af7587d65300338177538aa72f924

SHA1
c8ae231d3ae13f9db8b9f16e188e951e7cb76377

SHA256
556243e27a369fbdff1ecfb413b7540f1eb4e6becba03b76d221443b0d022351

SHA512
3bffe70c5daea4d6be501278be067bbc02e7ac211fef33629b5447ef498d49af7cbe25f994e33c2835bd9963749c07edc789fddd918e1c7739b77422ff57cf3e

Download Submit
C:\input.txt

Filesize
5B

MD5
0e50acc98850803aaa6ab6860f14b84d

SHA1
cbfb0b5276414fb620dc35ef0122d178848221fe

SHA256
af7e0341d4467d71d304f94d41992aa69dda7fd271e7e19fafd741064651b215

SHA512
745ce37fdcbb4c4fc9fc8e0a877e633a97746e18de54275eed582d2fd000d17069b075d5c098a05995d1af9b36885f88b4b24b75281549f59e2f623da48c4359

Download Submit
memory/2520-3-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download