gh0strat | 9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:22

Target

9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe
Size

376KB
MD5

eb2e46cafe688c41e19a25233029e8fc
SHA1

189ddd1a812ad0647dde7f214cd7379764fb838d
SHA256

9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c
SHA512

b6bdeccec77cd82bb9d34947f63983994b5e5ad8647bdce80dcb28501deb8c6b3708e847349f3fe25581baf0b13984647b2d74a01e6c392aefae22304d5c9a2d
SSDEEP

3072:RvK/yLrQbWaR5Qax8c/Ytzyxy+Pb9gcamf/w5vtc009w60wbA0X:ROyLEbWaR5CcLTPb9gc16LKLbN

Score

10^/10

Family

gh0strat

103.143.46.17

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2336-0-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral1/memory/2336-15-0x0000000000400000-0x0000000000460000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 2 IoCs

Processes:

Zumxpdd.exeZumxpdd.exe

pid process

2416 Zumxpdd.exe
2828 Zumxpdd.exe
Loads dropped DLL 1 IoCs

Processes:

Zumxpdd.exe

pid process

2416 Zumxpdd.exe

pid	process
2416	Zumxpdd.exe
2828	Zumxpdd.exe

pid	process
2416	Zumxpdd.exe

Drops file in Program Files directory 2 IoCs

Processes:

9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Ciuoom\Zumxpdd.exe	9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Ciuoom\Zumxpdd.exe	9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exeZumxpdd.exeZumxpdd.exe

pid	process
2336	9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe
2336	9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe
2416	Zumxpdd.exe
2416	Zumxpdd.exe
2828	Zumxpdd.exe
2828	Zumxpdd.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe

pid process

2336 9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Zumxpdd.exe

description	pid	process	target process
PID 2416 wrote to memory of 2828	2416	Zumxpdd.exe	Zumxpdd.exe
PID 2416 wrote to memory of 2828	2416	Zumxpdd.exe	Zumxpdd.exe
PID 2416 wrote to memory of 2828	2416	Zumxpdd.exe	Zumxpdd.exe
PID 2416 wrote to memory of 2828	2416	Zumxpdd.exe	Zumxpdd.exe

C:\Program Files (x86)\Microsoft Ciuoom\Zumxpdd.exe
Filesize
376KB

MD5
eb2e46cafe688c41e19a25233029e8fc

SHA1
189ddd1a812ad0647dde7f214cd7379764fb838d

SHA256
9fd93ef3b23367d775e16c7cf684705d77467395ac6e26c916bfe39e44f46f6c

SHA512
b6bdeccec77cd82bb9d34947f63983994b5e5ad8647bdce80dcb28501deb8c6b3708e847349f3fe25581baf0b13984647b2d74a01e6c392aefae22304d5c9a2d

Download Submit
memory/2336-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2336-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download