gh0strat | eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584

General

Target

eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Size

192KB
MD5

702395713f991c8ef6189f0c62d465f5
SHA1

c2a01fb4fc43fe709732bafaf334bbb98755af5a
SHA256

eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584
SHA512

a17d03afe1011f1b199c1428a69c6b7d5dc536dadbf2fbbaeda362dd2fc6993139aa6ab5242223416b3b682e7e29712b32b1098f3a5543fd708c6affb3a811bc
SSDEEP

3072:lSB23ZRnWUWXzg5KHbFxlAPHX7JC2J/IPe25L/IV8/dHb7nslSlq:lFPnWUWX05KH3lAP37JC2J/IPeiD/Rjt

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
\??\c:\progra~3\applic~1\storm\update\enljb.dlc	family_gh0strat
C:\ProgramData\Storm\update\enljb.dlc	family_gh0strat
C:\ProgramData\Storm\update\enljb.dlc	family_gh0strat
C:\ProgramData\Storm\update\enljb.dlc	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

212 svchost.exe
1296 svchost.exe
3088 svchost.exe

pid	process
212	svchost.exe
1296	svchost.exe
3088	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\jkobshxxet	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\jssyythoea	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\jsjexdohrl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\APPLIC~1\Storm\update\enljb.dlc	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2044 212 WerFault.exe svchost.exe
2332 1296 WerFault.exe svchost.exe
4876 3088 WerFault.exe svchost.exe

pid	pid_target	process	target process
2044	212	WerFault.exe	svchost.exe
2332	1296	WerFault.exe	svchost.exe
4876	3088	WerFault.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeBackupPrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeRestorePrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeBackupPrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeRestorePrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeBackupPrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeRestorePrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeBackupPrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeRestorePrivilege	1292	eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeRestorePrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeRestorePrivilege	212	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeRestorePrivilege	1296	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeSecurityPrivilege	1296	svchost.exe
Token: SeSecurityPrivilege	1296	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeSecurityPrivilege	1296	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeSecurityPrivilege	1296	svchost.exe
Token: SeBackupPrivilege	1296	svchost.exe
Token: SeRestorePrivilege	1296	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeRestorePrivilege	3088	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeSecurityPrivilege	3088	svchost.exe
Token: SeSecurityPrivilege	3088	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeSecurityPrivilege	3088	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeSecurityPrivilege	3088	svchost.exe
Token: SeBackupPrivilege	3088	svchost.exe
Token: SeRestorePrivilege	3088	svchost.exe

C:\Users\Admin\AppData\Local\Temp\eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
"C:\Users\Admin\AppData\Local\Temp\eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 864
2⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 212
1⤵
PID:4640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 832
2⤵
- Program crash
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1296 -ip 1296
1⤵
PID:2984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 884
2⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3088 -ip 3088
1⤵
PID:4584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\enljb.dlc
Filesize
896KB

MD5
b3758a0a553fd8b89cfe1db692b81026

SHA1
449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d

SHA256
4edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680

SHA512
20cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f

Download Submit
C:\ProgramData\Storm\update\enljb.dlc
Filesize
896KB

MD5
b3758a0a553fd8b89cfe1db692b81026

SHA1
449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d

SHA256
4edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680

SHA512
20cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f

Download Submit
C:\ProgramData\Storm\update\enljb.dlc
Filesize
896KB

MD5
b3758a0a553fd8b89cfe1db692b81026

SHA1
449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d

SHA256
4edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680

SHA512
20cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
201B

MD5
1d0a2e28fc3087ae6cd8d8b273223dd8

SHA1
a27c51dc5a9a776aeeacfc3a7afaa135eaeb3ab5

SHA256
09550f91830ad3e98a9a101864700304b4409e1b66cb058359091ec7bf2047af

SHA512
643cc5e05e173f96454f5e61c7a1c5745a74a189935f21ef87798536ca46f13a77845dbe6ba0403dde54d24feca9f5370ef6ce3d48002697589317f96095006b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
302B

MD5
485ef44c47d697dd0d25ad2693c249ca

SHA1
27ed455d300e365535225b00ea6fa3f43f552a59

SHA256
a269a456433d9c1e8f12edf50c3b997df149d66b0fa7e9b449bf122aa57c4b29

SHA512
e56c248c0428561c349348b9128b9e020eeb5616c41e6003dd68e09fe1d23faba0715116081cb9aaf2c8e32f8b18e13f5585267bea2e6384cac05e4bf5d1318b

Download Submit
\??\c:\progra~3\applic~1\storm\update\enljb.dlc
Filesize
896KB

MD5
b3758a0a553fd8b89cfe1db692b81026

SHA1
449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d

SHA256
4edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680

SHA512
20cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads