gh0strat | 546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5

General

Target

546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe
Size

98KB
MD5

5254b8f557e9234701b2974c476e8c3c
SHA1

8714e109c9a3d3c2a55a1176060c54b76cb39678
SHA256

546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5
SHA512

c0bc208a8a184fcd914f35502ebab99c015a2b87a3087860825a8250089121bee8ac7253a92f25f839ba3cc68e7ff03132a2e9aa25c4e877894bf855db6ad173
SSDEEP

1536:0pFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr1CDPODmqo5Rh/b:0/S4jHS8q/3nTzePCwNUh4E9G87Gb

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e3b-139.dat	family_gh0strat
behavioral2/files/0x0007000000022e3b-140.dat	family_gh0strat
behavioral2/memory/3440-141-0x0000000000400000-0x000000000044E364-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022e3b-142.dat	family_gh0strat
behavioral2/files/0x0007000000022e3b-144.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
3440	mtbehlyysp

Loads dropped DLL 3 IoCs

pid	Process
4856	svchost.exe
1136	svchost.exe
816	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yvwgocxucp	svchost.exe
File created	C:\Windows\SysWOW64\yttvketapx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dkoxeigscv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xfwedtwunr	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1788	4856	WerFault.exe	85
1256	1136	WerFault.exe	92
3244	816	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	mtbehlyysp
3440	mtbehlyysp

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeRestorePrivilege	3440	mtbehlyysp
Token: SeBackupPrivilege	3440	mtbehlyysp
Token: SeBackupPrivilege	3440	mtbehlyysp
Token: SeRestorePrivilege	3440	mtbehlyysp
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeRestorePrivilege	4856	svchost.exe
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeSecurityPrivilege	4856	svchost.exe
Token: SeSecurityPrivilege	4856	svchost.exe
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeSecurityPrivilege	4856	svchost.exe
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeSecurityPrivilege	4856	svchost.exe
Token: SeBackupPrivilege	4856	svchost.exe
Token: SeRestorePrivilege	4856	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeRestorePrivilege	1136	svchost.exe
Token: SeBackupPrivilege	816	svchost.exe
Token: SeRestorePrivilege	816	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 3440	1932	546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe	79
PID 1932 wrote to memory of 3440	1932	546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe	79
PID 1932 wrote to memory of 3440	1932	546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe	79

C:\Users\Admin\AppData\Local\Temp\546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe
"C:\Users\Admin\AppData\Local\Temp\546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- \??\c:\users\admin\appdata\local\mtbehlyysp
  "C:\Users\Admin\AppData\Local\Temp\546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe" a -sc:\users\admin\appdata\local\temp\546dfbdcf904d726960dd8db1934f21b578c454a7902bbbcff24c6cf5b69e1f5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1020
  2⤵
  - Program crash
  PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4856 -ip 4856
1⤵
PID:5076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1072
  2⤵
  - Program crash
  PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1136 -ip 1136
1⤵
PID:1916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 828
  2⤵
  - Program crash
  PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 816 -ip 816
1⤵
PID:768

Network

DNS

conf.f.360.cn

fastuserswitchingcompatibility

Remote address:

8.8.8.8:53

Request

conf.f.360.cn

IN A

Response

conf.f.360.cn

IN CNAME

conf.f.qh-lb.com

conf.f.qh-lb.com

IN A

180.163.243.162

conf.f.qh-lb.com

IN A

180.163.243.109
DNS

conf.f.360.cn

fastuserswitchingcompatibility

Remote address:

8.8.8.8:53

Request

conf.f.360.cn

IN A

Response

conf.f.360.cn

IN CNAME

conf.f.qh-lb.com

conf.f.qh-lb.com

IN A

1.192.193.145

conf.f.qh-lb.com

IN A

180.163.243.119

13.69.239.72:443

322 B
7

8.8.8.8:53

conf.f.360.cn

dns

fastuserswitchingcompatibility

59 B
121 B
1
1

DNS Request

conf.f.360.cn

DNS Response

180.163.243.162

180.163.243.109
8.8.8.8:53

conf.f.360.cn

dns

fastuserswitchingcompatibility

59 B
121 B
1
1

DNS Request

conf.f.360.cn

DNS Response

1.192.193.145

180.163.243.119

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\wqswi.cc3

Filesize
20.1MB

MD5
aaba66d49076e266996c42068785c378

SHA1
1be8143a56a4ed8b3c64d7af671ffd378f7d0402

SHA256
ed3698026625533f4fa6d8ed6d852a6a3ee59f7a7b9aaba42194f99c9c7803e8

SHA512
49693d52f9d6ae1f373c4ca6521e71b2e4c42a401815687f6342fee6b542c570e8698ec1568a8269abe799c64b438a9fd4f860574255aca2d644b6b913398447

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\wqswi.cc3

Filesize
20.1MB

MD5
aaba66d49076e266996c42068785c378

SHA1
1be8143a56a4ed8b3c64d7af671ffd378f7d0402

SHA256
ed3698026625533f4fa6d8ed6d852a6a3ee59f7a7b9aaba42194f99c9c7803e8

SHA512
49693d52f9d6ae1f373c4ca6521e71b2e4c42a401815687f6342fee6b542c570e8698ec1568a8269abe799c64b438a9fd4f860574255aca2d644b6b913398447

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\wqswi.cc3

Filesize
20.1MB

MD5
aaba66d49076e266996c42068785c378

SHA1
1be8143a56a4ed8b3c64d7af671ffd378f7d0402

SHA256
ed3698026625533f4fa6d8ed6d852a6a3ee59f7a7b9aaba42194f99c9c7803e8

SHA512
49693d52f9d6ae1f373c4ca6521e71b2e4c42a401815687f6342fee6b542c570e8698ec1568a8269abe799c64b438a9fd4f860574255aca2d644b6b913398447

Download Submit
C:\Users\Admin\AppData\Local\mtbehlyysp

Filesize
21.1MB

MD5
dee802797768520fc89fd7f8b0f25875

SHA1
b3bbecdabbcfcc4d3f035eb523ca4efd8da32c8c

SHA256
f34000a4027aa2af441cbc0adfda67c583ea4bd68ccac3719ddcfdd3936d7325

SHA512
09971d6332cc4253afc5948018e29c46055a3a10b56d69789476bd30c6d62d44eddac65174ddfae2c9181864f1badf60b09ae0a00d61cac5ccc38592f847a7e1

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
3c44b6ba35bd951f17d771985da3e709

SHA1
95f868357fd1cad9904fa505f01fc0774c194427

SHA256
ea16699778857d49e109660671eb8aada77304c075f176cd119dbda806fc3516

SHA512
18688e1950e1fbf42bbd4225943309545c11348fefe6a32394156987e4b7b3fe5a615f2c51ea8ec9f08cdd3f3e02e5e0700baaab1c197df589b2a04c8352b44c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
43c0bc442da09a542e5523435e4f08d2

SHA1
029e8e1cb2341b54e0585c7043b65dafd52da7ec

SHA256
54f79886d42e6c6485eadd406f36020a772cad275d6991f322886d29c65f0e61

SHA512
79a2c4655f7d4c5a053aef141ba92444ee0c3c96bbb46a0d865a1b83a2a1961181ff19338e53b1c5601a5a668ffffc359770497c39be4378cf987aa2a44f3a4b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\wqswi.cc3

Filesize
20.1MB

MD5
aaba66d49076e266996c42068785c378

SHA1
1be8143a56a4ed8b3c64d7af671ffd378f7d0402

SHA256
ed3698026625533f4fa6d8ed6d852a6a3ee59f7a7b9aaba42194f99c9c7803e8

SHA512
49693d52f9d6ae1f373c4ca6521e71b2e4c42a401815687f6342fee6b542c570e8698ec1568a8269abe799c64b438a9fd4f860574255aca2d644b6b913398447

Download Submit
\??\c:\users\admin\appdata\local\mtbehlyysp

Filesize
21.1MB

MD5
dee802797768520fc89fd7f8b0f25875

SHA1
b3bbecdabbcfcc4d3f035eb523ca4efd8da32c8c

SHA256
f34000a4027aa2af441cbc0adfda67c583ea4bd68ccac3719ddcfdd3936d7325

SHA512
09971d6332cc4253afc5948018e29c46055a3a10b56d69789476bd30c6d62d44eddac65174ddfae2c9181864f1badf60b09ae0a00d61cac5ccc38592f847a7e1

Download Submit
memory/1932-133-0x0000000000400000-0x000000000044E364-memory.dmp

Filesize
312KB

Download
memory/1932-132-0x0000000000400000-0x000000000044E364-memory.dmp

Filesize
312KB

Download
memory/3440-138-0x0000000000400000-0x000000000044E364-memory.dmp

Filesize
312KB

Download
memory/3440-141-0x0000000000400000-0x000000000044E364-memory.dmp

Filesize
312KB

Download
memory/3440-137-0x0000000000400000-0x000000000044E364-memory.dmp

Filesize
312KB

Download

Analysis

Sharing