gh0strat | fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993

General

Target

fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Size

192KB
MD5

6e7c22ad556f0e7c7fc423ed3b222ce8
SHA1

5a53aa8c4ba39a72700d0b1841c74564d3066e2e
SHA256

fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993
SHA512

5b0797c2a91828ed5d886c701d3795b8567cbdca6ad6435862ff30ff9682d6bdb6344e42616b319a83f964dc4c5208e80b84cd7aae5f9acd9a59a84cf46f591c
SSDEEP

3072:8SB23ZRnWUWwQ9LmtWegYpKd8W2/7ik2YvsolNI9cq97Lq74:8FPnWUWukYaNkrNxO7Lq

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
\??\c:\progra~3\applic~1\storm\update\kdsxy.dlc	family_gh0strat
C:\ProgramData\Storm\update\kdsxy.dlc	family_gh0strat
C:\ProgramData\Storm\update\kdsxy.dlc	family_gh0strat
C:\ProgramData\Storm\update\kdsxy.dlc	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

4892 svchost.exe
2356 svchost.exe
3532 svchost.exe

pid	process
4892	svchost.exe
2356	svchost.exe
3532	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\aqjixitciu	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\aqanvrcuvg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\apqsubjnjr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\APPLIC~1\Storm\update\kdsxy.dlc	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2016 4892 WerFault.exe svchost.exe
428 2356 WerFault.exe svchost.exe
4884 3532 WerFault.exe svchost.exe

pid	pid_target	process	target process
2016	4892	WerFault.exe	svchost.exe
428	2356	WerFault.exe	svchost.exe
4884	3532	WerFault.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeBackupPrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeRestorePrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeBackupPrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeRestorePrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeBackupPrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeRestorePrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeBackupPrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeRestorePrivilege	3316	fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeRestorePrivilege	4892	svchost.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeSecurityPrivilege	4892	svchost.exe
Token: SeSecurityPrivilege	4892	svchost.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeSecurityPrivilege	4892	svchost.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeSecurityPrivilege	4892	svchost.exe
Token: SeBackupPrivilege	4892	svchost.exe
Token: SeRestorePrivilege	4892	svchost.exe
Token: SeBackupPrivilege	2356	svchost.exe
Token: SeRestorePrivilege	2356	svchost.exe
Token: SeBackupPrivilege	2356	svchost.exe
Token: SeBackupPrivilege	2356	svchost.exe
Token: SeSecurityPrivilege	2356	svchost.exe
Token: SeSecurityPrivilege	2356	svchost.exe
Token: SeBackupPrivilege	2356	svchost.exe
Token: SeBackupPrivilege	2356	svchost.exe
Token: SeSecurityPrivilege	2356	svchost.exe
Token: SeBackupPrivilege	3532	svchost.exe
Token: SeRestorePrivilege	3532	svchost.exe
Token: SeBackupPrivilege	3532	svchost.exe
Token: SeBackupPrivilege	3532	svchost.exe
Token: SeSecurityPrivilege	3532	svchost.exe

C:\Users\Admin\AppData\Local\Temp\fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
"C:\Users\Admin\AppData\Local\Temp\fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 936
2⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4892 -ip 4892
1⤵
PID:1640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1076
2⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2356 -ip 2356
1⤵
PID:2976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1100
2⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3532 -ip 3532
1⤵
PID:3844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\kdsxy.dlc
Filesize
1.6MB

MD5
68f5a48cfb84bd82c4645715520ed0e5

SHA1
d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c

SHA256
c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a

SHA512
59044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9

Download Submit
C:\ProgramData\Storm\update\kdsxy.dlc
Filesize
1.6MB

MD5
68f5a48cfb84bd82c4645715520ed0e5

SHA1
d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c

SHA256
c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a

SHA512
59044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9

Download Submit
C:\ProgramData\Storm\update\kdsxy.dlc
Filesize
1.6MB

MD5
68f5a48cfb84bd82c4645715520ed0e5

SHA1
d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c

SHA256
c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a

SHA512
59044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
202B

MD5
0c29ab7d16fdaac3cdb8f57b39c70c79

SHA1
938923652f98adefa395320e353ff81f8fe15a5a

SHA256
f5989377e0eb6edcc7c24f0ca05109e7d2d6b864adb987bf75ed7e7ab51156f1

SHA512
b9bf1488323fbdc1c036e34d0f7176c600d7aba8d33e1a483eb5d7c2b7cc33da11905a13a114aab5b8c853238576c15bf7c32a6c49a054c7ca468298dcb2250c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
261B

MD5
bb6c212b6c6e3a5ad355e13fed5ec7b1

SHA1
bc321c5f17842db3a06bef602efed22c97153cb9

SHA256
d1cab7088ad51fea6a6be3e9a6aca420db87846cd5817466a7b6a5ba1f58875d

SHA512
37d08028de54c0cc593d3fb5659a87e0547a6732820ce18af67b87d3801822d83e884cd568069db6dfe06ca8c17aa15c456796a5f684603331949f9b7cc42c9e

Download Submit
\??\c:\progra~3\applic~1\storm\update\kdsxy.dlc
Filesize
1.6MB

MD5
68f5a48cfb84bd82c4645715520ed0e5

SHA1
d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c

SHA256
c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a

SHA512
59044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads