gh0strat | d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9.exe
Size

1.0MB
MD5

3656815656dc091b0aa63aab40358612
SHA1

f4949736b95643e498e81370bc1db4c94994d294
SHA256

d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9
SHA512

af40ff261ea78951695b9f977480905d211baddd45c873ee575cd350a0e512e79b462749072a54ae1b6fe77cf6b4cc179cb1197fbdc4906df740bc9f37eedd4f
SSDEEP

12288:M+DfxLIvuGmQkMRWNEpGS7cLxdSGNyizkKwcp8zqmJyy28bRyXL:M+TCz8wlep82w5yX

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2128-3-0x0000000010000000-0x000000001008E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Cskaoq.exe

Executes dropped EXE 2 IoCs

pid	Process
3008	Cskaoq.exe
2952	Cskaoq.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	Cskaoq.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	Cskaoq.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\Cskaoq.exe	d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9.exe
File opened for modification	C:\windows\Cskaoq.exe	d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cskaoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cskaoq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2952	Cskaoq.exe
Token: SeIncBasePriorityPrivilege	2952	Cskaoq.exe
Token: 33	2952	Cskaoq.exe
Token: SeIncBasePriorityPrivilege	2952	Cskaoq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2952	3008	Cskaoq.exe	32
PID 3008 wrote to memory of 2952	3008	Cskaoq.exe	32
PID 3008 wrote to memory of 2952	3008	Cskaoq.exe	32
PID 3008 wrote to memory of 2952	3008	Cskaoq.exe	32

C:\Users\Admin\AppData\Local\Temp\d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9.exe
"C:\Users\Admin\AppData\Local\Temp\d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2128

C:\windows\Cskaoq.exe
C:\windows\Cskaoq.exe -auto
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\windows\Cskaoq.exe
  C:\windows\Cskaoq.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cskaoq.exe

Filesize
1.0MB

MD5
3656815656dc091b0aa63aab40358612

SHA1
f4949736b95643e498e81370bc1db4c94994d294

SHA256
d249d1660c4662f323f4a2097179ea14bdf687706c108eefda90817112ce89e9

SHA512
af40ff261ea78951695b9f977480905d211baddd45c873ee575cd350a0e512e79b462749072a54ae1b6fe77cf6b4cc179cb1197fbdc4906df740bc9f37eedd4f

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
19B

MD5
fe9af7587d65300338177538aa72f924

SHA1
c8ae231d3ae13f9db8b9f16e188e951e7cb76377

SHA256
556243e27a369fbdff1ecfb413b7540f1eb4e6becba03b76d221443b0d022351

SHA512
3bffe70c5daea4d6be501278be067bbc02e7ac211fef33629b5447ef498d49af7cbe25f994e33c2835bd9963749c07edc789fddd918e1c7739b77422ff57cf3e

Download Submit
C:\input.txt

Filesize
4B

MD5
a0f3601dc682036423013a5d965db9aa

SHA1
ac9cf1d82666b68d9f7d8761209b8690836e5f74

SHA256
5514a9f709310b22ee9bddd4e6da1b2b8b04d1ad5c3dcb47ed945c356b9b852d

SHA512
7433bb10d53b40c9e9d3e71296ead76fd153eccf07199b50b5c0797ae0056f9f6e61a156b2b18655184efe889961cbf8115486dc1238cbf90c3be73ed9448fc9

Download Submit
memory/2128-3-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download