gh0strat | e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648

General

Target

e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Size

39KB
MD5

3697872eb74777ad7075dd6cd529edc0
SHA1

217f4af3aea4ad2ee02c1bb53e3223f9f18506c1
SHA256

e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648
SHA512

01d3984dbaa07a5528c2e61b65a0b01292bd9106d319d67a02326dd0487be2924bb0c3e7b0d886b58aac1e0056db14836aabd4cd80acf8b2e3fa3623187960eb
SSDEEP

768:JKqq1uaVze+uFNSlcUkFR1Df0ermMUXIisUaAsJ/APII:JKqauaVzebGcD/f+9X/WAh

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1088-55-0x0000000000400000-0x000000000041A000-memory.dmp	family_gh0strat
behavioral1/memory/1088-57-0x0000000000400000-0x000000000041A000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000015c60-58.dat	family_gh0strat
behavioral1/files/0x000a000000015c60-59.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-61.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1088-55-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1088-57-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1504	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Iefg\Nefghijkl.pic	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
File created	C:\Program Files (x86)\Iefg\Nefghijkl.pic	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Token: SeRestorePrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Token: SeBackupPrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Token: SeRestorePrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Token: SeBackupPrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Token: SeRestorePrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Token: SeBackupPrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
Token: SeRestorePrivilege	1088	e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe

C:\Users\Admin\AppData\Local\Temp\e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe
"C:\Users\Admin\AppData\Local\Temp\e3d9f812f239413941941086ed157ef80735d70f76873fc1e8141f2ac5e3f648.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1504

Network

DNS

www.sfbazhu.com

imgsvc

Remote address:

8.8.8.8:53

Request

www.sfbazhu.com

IN A

Response

No results found

8.8.8.8:53

www.sfbazhu.com

dns

imgsvc

61 B
134 B
1
1

DNS Request

www.sfbazhu.com

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2647500.dll

Filesize
69KB

MD5
47e638ba159126d58216f99e640b8ea1

SHA1
46816e8734562a5fd7a9aecbec9661f92a624fbe

SHA256
5c16257ee22ccb24890b7330e3d2de3e412ad2968e0c70280a22f338e7c0daac

SHA512
07f84228958e2f396f864fcc1c7772087d74e29286f9c327340e53cf459350ed0d9e5b6e1c4ea0eff0cf40bf302b00f1f2e8bc3da286a0e4f674ec84292f44c9

Download Submit
C:\WinWall64.bmp

Filesize
117B

MD5
47b02af9bcfc2e47745a836c694d6f70

SHA1
6f7a365a4bad72806a137db8e19ba22911801068

SHA256
1b3137be92d667234afc8e28f16e147e7545852402ddd3c3d2841a58c70dad13

SHA512
b0350a74bedaa7b5fc9b1f808ad60cdbd68045d1f567e55bdb84cf8b9874270eb9331d0c0b48e9c9b9504980a4d02150cd1d9770038bff4449f2f8992169725b

Download Submit
\??\c:\program files (x86)\iefg\nefghijkl.pic

Filesize
4.1MB

MD5
be6927b3a2b936e12d9a8fdecea6b87b

SHA1
982942818da7faa50a7ff5f81dd50c1240da1110

SHA256
3e77564fb8c35486467c7b6de542cae728b0f49d731ba00e024461e33e488e11

SHA512
415207191c178f8e33f03acfda9d58db37722f3a7f3d34b0c20dde9f6cb0df211decf318813dcc6d3a73d8a8d4e4cba0ed684255e17b3f7aa161911d52803f6a

Download Submit
\Program Files (x86)\Iefg\Nefghijkl.pic

Filesize
4.1MB

MD5
be6927b3a2b936e12d9a8fdecea6b87b

SHA1
982942818da7faa50a7ff5f81dd50c1240da1110

SHA256
3e77564fb8c35486467c7b6de542cae728b0f49d731ba00e024461e33e488e11

SHA512
415207191c178f8e33f03acfda9d58db37722f3a7f3d34b0c20dde9f6cb0df211decf318813dcc6d3a73d8a8d4e4cba0ed684255e17b3f7aa161911d52803f6a

Download Submit
memory/1088-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1088-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1088-56-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/1088-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing