gh0strat | a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9

Analysis

max time kernel
192s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 16:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Size

144KB
MD5

19e0e8ac9b12a73462419a205f63fe21
SHA1

223b5e205b2794df4406a6f706408b2570f62477
SHA256

a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9
SHA512

8026e25f24eaa0f82f6e31b822ad571cb846eaaf8d885ebce45276470486b07b79eb1a7780db5ce6900525eea1c6548aad401cf65f9ca09aee3e7f509847c82d
SSDEEP

3072:5VK1M+IRHl+BSVIKISNq+Ha29M9U5EGzGv48YfIqRDUcEuccxB:5sC+wHlCSQSNqea29M9Udk4wqRDCxc/

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/4736-132-0x0000000000530000-0x000000000055B000-memory.dmp	family_gh0strat
behavioral2/memory/4736-133-0x0000000000400000-0x0000000000427000-memory.dmp	family_gh0strat
behavioral2/files/0x000b000000022e50-134.dat	family_gh0strat
behavioral2/files/0x000a000000022e5d-135.dat	family_gh0strat
behavioral2/files/0x000a000000022e5d-136.dat	family_gh0strat
behavioral2/files/0x000b000000022e50-138.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 2 IoCs

pid	Process
4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
3080	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Vlal\Waojxeqoi.gif	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
File created	C:\Program Files (x86)\Vlal\Waojxeqoi.gif	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe
3080	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeBackupPrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeBackupPrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeBackupPrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	4736	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe

C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
"C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3080

Network

DNS

15.89.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.89.54.20.in-addr.arpa

IN PTR

Response
DNS

2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
104.80.225.205:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

260 B
5
96.16.53.137:80

46 B
40 B
1
1
127.0.0.1:80

imgsvc
127.0.0.1:80

imgsvc
127.0.0.1:80

imgsvc

8.8.8.8:53

15.89.54.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

15.89.54.20.in-addr.arpa
8.8.8.8:53

2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2091800.dll

Filesize
101KB

MD5
9a321afedb20299237990eab5f04438a

SHA1
cfa0ee092174d53d23b80d4c08f1b122958c50f1

SHA256
ea4c6fc4b5fe10c83af82d5104d5a9b8c528fd383cce4677c0d10c708732c3bb

SHA512
dd63b78f80897bd585721694f7392daa10550a66b0d3d71371f86aaebec948d09b23a5db8044b0d5c39a119b6cf5e28b77bd23af9f129da6693021673d2de23b

Download Submit
C:\2091800.dll

Filesize
101KB

MD5
9a321afedb20299237990eab5f04438a

SHA1
cfa0ee092174d53d23b80d4c08f1b122958c50f1

SHA256
ea4c6fc4b5fe10c83af82d5104d5a9b8c528fd383cce4677c0d10c708732c3bb

SHA512
dd63b78f80897bd585721694f7392daa10550a66b0d3d71371f86aaebec948d09b23a5db8044b0d5c39a119b6cf5e28b77bd23af9f129da6693021673d2de23b

Download Submit
C:\Program Files (x86)\Vlal\Waojxeqoi.gif

Filesize
12.1MB

MD5
e0fefecf94066d11db1436322daec48d

SHA1
027d6953fbe24bfa09234633a20c786be8453888

SHA256
9f03e7084ac0c8c51262598f9e21fa1ba6e0d78a0103b4035ea3401e10fff003

SHA512
abbf62005ceff8162173e601b70b1463558c005746961f04ad9989855637413fbde34d357464b15e9511b4ed9b17aefbc7e4f7d475dcc2416809880d2973d18a

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
c7de3d6c7ac8ec70bf0f53dd3a57d56d

SHA1
23d7baba1ad449cdd15ab4fc5eeeff7810c5ed81

SHA256
006ba4487ca0fb1e889b79870353147c793ca4fc81d80063b6f775b13ad4532c

SHA512
2858ddee8c28f6104532d0101d6ec6812a459ae0a60ae961e838b489fe71582027696f767144f53076c5c27a9347f300daf186a6c1813ab88f55824e8c4371b5

Download Submit
\??\c:\program files (x86)\vlal\waojxeqoi.gif

Filesize
12.1MB

MD5
e0fefecf94066d11db1436322daec48d

SHA1
027d6953fbe24bfa09234633a20c786be8453888

SHA256
9f03e7084ac0c8c51262598f9e21fa1ba6e0d78a0103b4035ea3401e10fff003

SHA512
abbf62005ceff8162173e601b70b1463558c005746961f04ad9989855637413fbde34d357464b15e9511b4ed9b17aefbc7e4f7d475dcc2416809880d2973d18a

Download Submit
memory/4736-132-0x0000000000530000-0x000000000055B000-memory.dmp

Filesize
172KB

Download
memory/4736-133-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download