gh0strat | a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9

Analysis

max time kernel
136s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe
Size

96KB
MD5

75d906cfaa797a0fb27e7b1935183730
SHA1

45c2322ee7c7ba0b08d6fd3ac0c5dc2ca5e7b017
SHA256

a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9
SHA512

65a85572072e12e06ebdbb63270ad5b66c7708208b5817b75ce6f5c26bdb3d23c22cf30b82ca02853b0ead7b3b8b958c5441e25373318f003dbda8893598e13f
SSDEEP

1536:VCFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prbXO5J68K:VoS4jHS8q/3nTzePCwNUh4E9b+G8K

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0003000000021b43-139.dat	family_gh0strat
behavioral2/files/0x0003000000021b43-140.dat	family_gh0strat
behavioral2/files/0x0003000000000721-141.dat	family_gh0strat
behavioral2/files/0x0003000000000721-142.dat	family_gh0strat
behavioral2/memory/4312-143-0x0000000000400000-0x000000000044E280-memory.dmp	family_gh0strat
behavioral2/files/0x0003000000000721-145.dat	family_gh0strat
behavioral2/files/0x0003000000000721-147.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4312	fpssjegowy

Loads dropped DLL 4 IoCs

pid	Process
4808	svchost.exe
4244	svchost.exe
3148	svchost.exe
3388	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yrklawqvtx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ygedlxpice	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yguikhxbpp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yflojqfudb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1948	4808	WerFault.exe	81
2708	4244	WerFault.exe	96
2500	3148	WerFault.exe	99
4876	3388	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4312	fpssjegowy
4312	fpssjegowy

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4808	svchost.exe
Token: SeRestorePrivilege	4808	svchost.exe
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4808	svchost.exe
Token: SeBackupPrivilege	4808	svchost.exe
Token: SeSecurityPrivilege	4808	svchost.exe
Token: SeSecurityPrivilege	4808	svchost.exe
Token: SeBackupPrivilege	4808	svchost.exe
Token: SeBackupPrivilege	4808	svchost.exe
Token: SeSecurityPrivilege	4808	svchost.exe
Token: SeBackupPrivilege	4808	svchost.exe
Token: SeBackupPrivilege	4808	svchost.exe
Token: SeSecurityPrivilege	4808	svchost.exe
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4312	fpssjegowy
Token: SeRestorePrivilege	4312	fpssjegowy
Token: SeBackupPrivilege	4244	svchost.exe
Token: SeRestorePrivilege	4244	svchost.exe
Token: SeBackupPrivilege	4244	svchost.exe
Token: SeBackupPrivilege	4244	svchost.exe
Token: SeSecurityPrivilege	4244	svchost.exe
Token: SeSecurityPrivilege	4244	svchost.exe
Token: SeBackupPrivilege	4244	svchost.exe
Token: SeBackupPrivilege	4244	svchost.exe
Token: SeSecurityPrivilege	4244	svchost.exe
Token: SeBackupPrivilege	4244	svchost.exe
Token: SeBackupPrivilege	4244	svchost.exe
Token: SeSecurityPrivilege	4244	svchost.exe
Token: SeBackupPrivilege	3148	svchost.exe
Token: SeRestorePrivilege	3148	svchost.exe
Token: SeBackupPrivilege	3148	svchost.exe
Token: SeBackupPrivilege	3148	svchost.exe
Token: SeSecurityPrivilege	3148	svchost.exe
Token: SeSecurityPrivilege	3148	svchost.exe
Token: SeBackupPrivilege	3148	svchost.exe
Token: SeBackupPrivilege	3148	svchost.exe
Token: SeSecurityPrivilege	3148	svchost.exe
Token: SeBackupPrivilege	3148	svchost.exe
Token: SeBackupPrivilege	3148	svchost.exe
Token: SeSecurityPrivilege	3148	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeRestorePrivilege	3388	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeSecurityPrivilege	3388	svchost.exe
Token: SeSecurityPrivilege	3388	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe
Token: SeBackupPrivilege	3388	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4312	1560	a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe	80
PID 1560 wrote to memory of 4312	1560	a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe	80
PID 1560 wrote to memory of 4312	1560	a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe	80

C:\Users\Admin\AppData\Local\Temp\a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe
"C:\Users\Admin\AppData\Local\Temp\a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1560
- \??\c:\users\admin\appdata\local\fpssjegowy
  "C:\Users\Admin\AppData\Local\Temp\a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe" a -sc:\users\admin\appdata\local\temp\a065fb459829a5344a27ea9adcd5e7b090394df98e724f1a3028bdcd9d1539d9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1012
  2⤵
  - Program crash
  PID:1948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4808 -ip 4808
1⤵
PID:616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
PID:4776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
PID:4056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1104
  2⤵
  - Program crash
  PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4244 -ip 4244
1⤵
PID:3408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1108
  2⤵
  - Program crash
  PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3148 -ip 3148
1⤵
PID:2248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1120
  2⤵
  - Program crash
  PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3388 -ip 3388
1⤵
PID:4836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\pxrmb.cc3

Filesize
20.1MB

MD5
681c9b07679f09c348bc752ab10b0da4

SHA1
d937b7a37060f5dbb0ee184206295aa84878321d

SHA256
0bf608f69c437265054ef8fb3093c726b023bd2568ee3db4e552a59f352944cc

SHA512
ac29dc36a2f667a304c6345c91c3a8259c36822da54306dd18ac2df8aa15575c5ed032a4517c558401fcee0919bd624063ce51c4c7f438f0b0d3724a0c30787e

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\pxrmb.cc3

Filesize
20.1MB

MD5
681c9b07679f09c348bc752ab10b0da4

SHA1
d937b7a37060f5dbb0ee184206295aa84878321d

SHA256
0bf608f69c437265054ef8fb3093c726b023bd2568ee3db4e552a59f352944cc

SHA512
ac29dc36a2f667a304c6345c91c3a8259c36822da54306dd18ac2df8aa15575c5ed032a4517c558401fcee0919bd624063ce51c4c7f438f0b0d3724a0c30787e

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\pxrmb.cc3

Filesize
20.1MB

MD5
681c9b07679f09c348bc752ab10b0da4

SHA1
d937b7a37060f5dbb0ee184206295aa84878321d

SHA256
0bf608f69c437265054ef8fb3093c726b023bd2568ee3db4e552a59f352944cc

SHA512
ac29dc36a2f667a304c6345c91c3a8259c36822da54306dd18ac2df8aa15575c5ed032a4517c558401fcee0919bd624063ce51c4c7f438f0b0d3724a0c30787e

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\pxrmb.cc3

Filesize
21.1MB

MD5
037374754d3863bd3bff97a89109ea42

SHA1
2372345a2c57e6bdd135fa6e2eddb9df783d2c69

SHA256
6ffb11d90a1632a104818a68ed818d82652d0a9f8bc4493c1d18e9318a54226e

SHA512
9aa56630c09cb90dd8cc87778534df948f4fc93bfac40941c66f3fd916c1d6492506a84c0a030e57963e002fe5182af6b7baec8d2c087cbb68947472825062ac

Download Submit
C:\Users\Admin\AppData\Local\fpssjegowy

Filesize
20.8MB

MD5
421c5527caecbf8f0acb5d5370ce592b

SHA1
396d288607e8be279e0ae0775839d6009e2aa49c

SHA256
76d02ecc038065889612402c2acc19e1116796ab13d86beaaa213312f39489a9

SHA512
1edfc20f1bbc9d1da31dc48f2ced0df9f958c01fdc27cfc33f87f921a65c4585339edad412c625c8a0c9c72457c19dd64525c63fcfdf4997394565ec0fcf1eed

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
206B

MD5
0500b56365532e3ee79b01f6ac52b740

SHA1
8b8bf36b8b1bb71f23444293c0be1ce8beb365d1

SHA256
b9d8390782ba0c8f8fe9c5e003b830f5b76164bc5e285ec6f1e0266ba39e5c3f

SHA512
314deed1d54ca8ece6f8fd509e596a1314e23329de42da6bf673adb2fa026c18f61a65ed1a821eff79d38504dda554614ba0c9815b8536b51a267a018cc4f93a

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
309B

MD5
2cbaf86c1bb97d73f87a513c11ff021a

SHA1
c7020f52b9c7a7722fc471a6b530a6ea993cf2df

SHA256
48cb54b839ca763b988ba5be72a0d71571d065e299fa7c9fdefa297758a1229e

SHA512
1ded2ad6af74439306abf1edf2c2531f188195105b19b6037335bddad00fbe9e0c5995708782e0a1d7a79c9d5cfa6421d0bcb613d05caf5324757b17cd433590

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
412B

MD5
e8c5e4bf8ade790a373fd495a9aa35b9

SHA1
783b80004473aae69fb288068a027bcd6645889d

SHA256
5e1e16ffca36c275e8c0d264dc7b1895b5b056a8418ae7c00a1675499949e4af

SHA512
4323b071a6adb7e5d8a0c77b975387b38cf89de762d67e8bcc79b27d807e0c7a9b4d3a248e75125ab3157f78907d55d357b1be49812fd9c16586873b87f28133

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\pxrmb.cc3

Filesize
20.1MB

MD5
681c9b07679f09c348bc752ab10b0da4

SHA1
d937b7a37060f5dbb0ee184206295aa84878321d

SHA256
0bf608f69c437265054ef8fb3093c726b023bd2568ee3db4e552a59f352944cc

SHA512
ac29dc36a2f667a304c6345c91c3a8259c36822da54306dd18ac2df8aa15575c5ed032a4517c558401fcee0919bd624063ce51c4c7f438f0b0d3724a0c30787e

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\pxrmb.cc3

Filesize
21.1MB

MD5
037374754d3863bd3bff97a89109ea42

SHA1
2372345a2c57e6bdd135fa6e2eddb9df783d2c69

SHA256
6ffb11d90a1632a104818a68ed818d82652d0a9f8bc4493c1d18e9318a54226e

SHA512
9aa56630c09cb90dd8cc87778534df948f4fc93bfac40941c66f3fd916c1d6492506a84c0a030e57963e002fe5182af6b7baec8d2c087cbb68947472825062ac

Download Submit
\??\c:\users\admin\appdata\local\fpssjegowy

Filesize
20.8MB

MD5
421c5527caecbf8f0acb5d5370ce592b

SHA1
396d288607e8be279e0ae0775839d6009e2aa49c

SHA256
76d02ecc038065889612402c2acc19e1116796ab13d86beaaa213312f39489a9

SHA512
1edfc20f1bbc9d1da31dc48f2ced0df9f958c01fdc27cfc33f87f921a65c4585339edad412c625c8a0c9c72457c19dd64525c63fcfdf4997394565ec0fcf1eed

Download Submit
memory/1560-132-0x0000000000400000-0x000000000044E280-memory.dmp

Filesize
312KB

Download
memory/1560-135-0x0000000000400000-0x000000000044E280-memory.dmp

Filesize
312KB

Download
memory/4312-138-0x0000000000400000-0x000000000044E280-memory.dmp

Filesize
312KB

Download
memory/4312-137-0x0000000000400000-0x000000000044E280-memory.dmp

Filesize
312KB

Download
memory/4312-143-0x0000000000400000-0x000000000044E280-memory.dmp

Filesize
312KB

Download