gh0strat | 65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66

Analysis

max time kernel
92s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Size

192KB
MD5

294b8c58695e9a59243fe1227e8b7d90
SHA1

50b52829f40b4aeb75801d1473a3053587746e59
SHA256

65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66
SHA512

f7a1cf0fc92a78152c2b9e0a4d24582a933592634118f7ce22d7714762fd9233e89acd5db10d06bb57a4a50838d50c129f5c00d6655a083b72cbdd536fcc50bb
SSDEEP

3072:hSB23ZRnWUWwQ9LmtWegYpKd8W2/7ik2YvsolNI9cq97Lq74:hFPnWUWukYaNkrNxO7Lq

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022f57-132.dat	family_gh0strat
behavioral2/files/0x0009000000022f57-133.dat	family_gh0strat
behavioral2/files/0x0009000000022f57-134.dat	family_gh0strat
behavioral2/files/0x0009000000022f57-136.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 3 IoCs

pid	Process
4564	svchost.exe
672	svchost.exe
3616	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vgndagqtcs	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\vxppqmvoci	svchost.exe
File created	C:\Windows\SysWOW64\vwwanfkbdf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\vnymelpvdv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\APPLIC~1\Storm\update\mipvb.dlc	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4704	4564	WerFault.exe	82
3620	672	WerFault.exe	93
3320	3616	WerFault.exe	96

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeBackupPrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeRestorePrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeBackupPrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeRestorePrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeBackupPrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeRestorePrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeBackupPrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeRestorePrivilege	5048	65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeRestorePrivilege	4564	svchost.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeSecurityPrivilege	4564	svchost.exe
Token: SeSecurityPrivilege	4564	svchost.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeSecurityPrivilege	4564	svchost.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeSecurityPrivilege	4564	svchost.exe
Token: SeBackupPrivilege	4564	svchost.exe
Token: SeRestorePrivilege	4564	svchost.exe
Token: SeBackupPrivilege	672	svchost.exe
Token: SeRestorePrivilege	672	svchost.exe
Token: SeBackupPrivilege	672	svchost.exe
Token: SeBackupPrivilege	672	svchost.exe
Token: SeSecurityPrivilege	672	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeRestorePrivilege	3616	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeSecurityPrivilege	3616	svchost.exe
Token: SeSecurityPrivilege	3616	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeSecurityPrivilege	3616	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeSecurityPrivilege	3616	svchost.exe
Token: SeBackupPrivilege	3616	svchost.exe
Token: SeRestorePrivilege	3616	svchost.exe

C:\Users\Admin\AppData\Local\Temp\65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe
"C:\Users\Admin\AppData\Local\Temp\65ac141cba1045869bc8f9315e518c703a1174140a22e827530cfb1810849d66.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 816
  2⤵
  - Program crash
  PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4564 -ip 4564
1⤵
PID:4856

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 1088
  2⤵
  - Program crash
  PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 672 -ip 672
1⤵
PID:616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 832
  2⤵
  - Program crash
  PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3616 -ip 3616
1⤵
PID:4220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\mipvb.dlc

Filesize
2.2MB

MD5
e72d8a154c93eb94f2ad9a28ecf90c3f

SHA1
c082bedd5e0ebeb63367d27b59c2b6b0e3f1290e

SHA256
fe2220724472548facc2e8d9157935702343ab51daf200a831bf7fe2dc886f00

SHA512
83a42a08b9d3ebfcc4b3cc10358cdd6073781390834de644d9c0cd205a55ac94483b816206669bd32d40f229dcdb70a10d39d18897382c7f35d5cf87c1244c8d

Download Submit
C:\ProgramData\Storm\update\mipvb.dlc

Filesize
2.2MB

MD5
e72d8a154c93eb94f2ad9a28ecf90c3f

SHA1
c082bedd5e0ebeb63367d27b59c2b6b0e3f1290e

SHA256
fe2220724472548facc2e8d9157935702343ab51daf200a831bf7fe2dc886f00

SHA512
83a42a08b9d3ebfcc4b3cc10358cdd6073781390834de644d9c0cd205a55ac94483b816206669bd32d40f229dcdb70a10d39d18897382c7f35d5cf87c1244c8d

Download Submit
C:\ProgramData\Storm\update\mipvb.dlc

Filesize
2.2MB

MD5
e72d8a154c93eb94f2ad9a28ecf90c3f

SHA1
c082bedd5e0ebeb63367d27b59c2b6b0e3f1290e

SHA256
fe2220724472548facc2e8d9157935702343ab51daf200a831bf7fe2dc886f00

SHA512
83a42a08b9d3ebfcc4b3cc10358cdd6073781390834de644d9c0cd205a55ac94483b816206669bd32d40f229dcdb70a10d39d18897382c7f35d5cf87c1244c8d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
46c4d8310d84fb10f5462f3ca2b5a626

SHA1
3f09e1d14258cc8b93abc9475126f519fb89a45e

SHA256
09faba635e12ec7a5e98a551d83227690d162a6f5cbfe33db2771f7f45210ea7

SHA512
7eba0728ad807efb5097ccb524ff3f9761b200a97dd646b1fc189341af7ae158f028cf0462be5f396979066b2b5a31fa4fe14fd03dea1763c3db6754b74ba5bb

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
5068cfbdcae92d8195d6ddf3fb66dde5

SHA1
db49333efd34a2f5ab3c518b92689b8e2823c249

SHA256
da8e145b7dcbd1675c7b0b6b1bc6a4d3f13667fd2ceab07a1cdbff47deb4d008

SHA512
fb208c1fdc969ebf186a7c91f03e4f8f8275e1b9e4f422f099e8d4ffa9f7170dd4ba07ab87a07b1b92fa6b5af144a68c9d9eafef6403d987cf78f4b7d4977ea4

Download Submit
\??\c:\progra~3\applic~1\storm\update\mipvb.dlc

Filesize
2.2MB

MD5
e72d8a154c93eb94f2ad9a28ecf90c3f

SHA1
c082bedd5e0ebeb63367d27b59c2b6b0e3f1290e

SHA256
fe2220724472548facc2e8d9157935702343ab51daf200a831bf7fe2dc886f00

SHA512
83a42a08b9d3ebfcc4b3cc10358cdd6073781390834de644d9c0cd205a55ac94483b816206669bd32d40f229dcdb70a10d39d18897382c7f35d5cf87c1244c8d

Download Submit