gh0strat | 84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
Size

925KB
MD5

394277e5e016005e96ded8342bfeb041
SHA1

26762b55abd3f375dffb662ccf252901d82e2538
SHA256

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd
SHA512

ad73aa78852ee36e67546ecd1b106ab1bc88491ab7a73b154eee1a8d039879d88ec87fe371f2c4fcbcb1d2a3d254ebe0dc970f0d0c4261b2c88c12774c015311
SSDEEP

24576:jkr7jT4WOCtG3r9WyErEwk664hq/ERAfHYI:jOIpj3r9WyEr04yEWvR

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1064-76-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 5 IoCs

Processes:

jb.exescvhost.exe2.exeMFC71CHS.exefsfdkygutl

pid process

1940 jb.exe
1064 scvhost.exe
2008 2.exe
2024 MFC71CHS.exe
1720 fsfdkygutl

pid	process
1940	jb.exe
1064	scvhost.exe
2008	2.exe
2024	MFC71CHS.exe
1720	fsfdkygutl

Loads dropped DLL 8 IoCs

Processes:

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exejb.exe

pid	process
1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
1940	jb.exe

Drops file in System32 directory 5 IoCs

Processes:

2.exe

description	ioc	process
File created	C:\Windows\System32\1235DC.tmp	2.exe
File opened for modification	C:\Windows\SysWOW64\1235DC.tmp	2.exe
File created	C:\Windows\System32\1236A8.tmp	2.exe
File opened for modification	C:\Windows\SysWOW64\1236A8.tmp	2.exe
File created	C:\Windows\SysWOW64\sxload.tmp	2.exe

Drops file in Program Files directory 1 IoCs

Processes:

2.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx998.tmp 2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

988 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

scvhost.exejb.exe

pid process

1064 scvhost.exe
1940 jb.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx998.tmp	2.exe

pid	process
988	taskkill.exe

pid	process
1064	scvhost.exe
1940	jb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2.exetaskkill.exejb.exe

description	pid	process
Token: SeDebugPrivilege	2008	2.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeRestorePrivilege	1940	jb.exe
Token: SeBackupPrivilege	1940	jb.exe
Token: SeBackupPrivilege	1940	jb.exe
Token: SeRestorePrivilege	1940	jb.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2.exe

pid process

2008 2.exe
2008 2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

scvhost.exe

pid process

1064 scvhost.exe

pid	process
2008	2.exe
2008	2.exe

pid	process
1064	scvhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe2.exe

description	pid	process	target process
PID 1908 wrote to memory of 1940	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	jb.exe
PID 1908 wrote to memory of 1940	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	jb.exe
PID 1908 wrote to memory of 1940	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	jb.exe
PID 1908 wrote to memory of 1940	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	jb.exe
PID 1908 wrote to memory of 1064	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	scvhost.exe
PID 1908 wrote to memory of 1064	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	scvhost.exe
PID 1908 wrote to memory of 1064	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	scvhost.exe
PID 1908 wrote to memory of 1064	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	scvhost.exe
PID 1908 wrote to memory of 2008	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	2.exe
PID 1908 wrote to memory of 2008	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	2.exe
PID 1908 wrote to memory of 2008	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	2.exe
PID 1908 wrote to memory of 2008	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	2.exe
PID 1908 wrote to memory of 2024	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 1908 wrote to memory of 2024	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 1908 wrote to memory of 2024	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 1908 wrote to memory of 2024	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 1908 wrote to memory of 2024	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 1908 wrote to memory of 2024	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 1908 wrote to memory of 2024	1908	84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe	MFC71CHS.exe
PID 2008 wrote to memory of 988	2008	2.exe	taskkill.exe
PID 2008 wrote to memory of 988	2008	2.exe	taskkill.exe
PID 2008 wrote to memory of 988	2008	2.exe	taskkill.exe
PID 2008 wrote to memory of 988	2008	2.exe	taskkill.exe
PID 2008 wrote to memory of 1544	2008	2.exe	cmd.exe
PID 2008 wrote to memory of 1544	2008	2.exe	cmd.exe
PID 2008 wrote to memory of 1544	2008	2.exe	cmd.exe
PID 2008 wrote to memory of 1544	2008	2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe
"C:\Users\Admin\AppData\Local\Temp\84ae8210cc078e2962be9bb62ff3ff5eb2eaae7f87296a545803b18527521dcd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\jb.exe
"C:\Users\Admin\AppData\Local\Temp\jb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

\??\c:\users\admin\appdata\local\fsfdkygutl
"C:\Users\Admin\AppData\Local\Temp\jb.exe" a -sc:\users\admin\appdata\local\temp\jb.exe
3⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\scvhost.exe
"C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
3⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe"
2⤵
- Executes dropped EXE
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
125B

MD5
3b7dd85c6011192882bad9eda56a79f3

SHA1
898067776de1931b3e35a3ce9728b25c063dbf50

SHA256
f70d667736dd2c4a4739e78b3c052616aaf647a95dbb9e562124337e29793c17

SHA512
9a051dc0c1d6f4df181f97744b71c5e4f0670040c3b8501436c555b299a762cbf5b7e7c3ab6d1b4e414477f2717cab404fe4652e11b5bc008f7e21c84dd80764

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
16KB

MD5
bb50b21e70f4f92ee7624c7801d45e55

SHA1
d704aab549c11c239e9700eb34c6175453088ac2

SHA256
ba26c68192155b7bd230aa25f74922c4e382b23721e79fdff0119e444a5fc238

SHA512
8c2aa6236d0a1246ad976dab8ad9f7ff6323753afeede6de3f50f7c2f100188a3737a4c90125eeec8f7122f612f3c4098b83a873aa35c9a66e8713d1b1f14948

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
16KB

MD5
bb50b21e70f4f92ee7624c7801d45e55

SHA1
d704aab549c11c239e9700eb34c6175453088ac2

SHA256
ba26c68192155b7bd230aa25f74922c4e382b23721e79fdff0119e444a5fc238

SHA512
8c2aa6236d0a1246ad976dab8ad9f7ff6323753afeede6de3f50f7c2f100188a3737a4c90125eeec8f7122f612f3c4098b83a873aa35c9a66e8713d1b1f14948

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe
Filesize
543KB

MD5
ef3bda86cfc2991018f32092d3b01b25

SHA1
5ddfcfe2ed6fae903473bed84bd96ad83c1c8b15

SHA256
4e0e7d383f30a6f14dd03c01ae74b3cfbe18b980589134e38d96c089fd6d5314

SHA512
8c2d1cbfb4186a8b87cedfe98ca9b35952e13a0c0cbaed21b16d289ebd9e7f053cfde4ccf6e7ce09ab2a6813a949d670790f7ff5ed2722a3cf7a1e9c89e99dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFC71CHS.exe
Filesize
543KB

MD5
ef3bda86cfc2991018f32092d3b01b25

SHA1
5ddfcfe2ed6fae903473bed84bd96ad83c1c8b15

SHA256
4e0e7d383f30a6f14dd03c01ae74b3cfbe18b980589134e38d96c089fd6d5314

SHA512
8c2d1cbfb4186a8b87cedfe98ca9b35952e13a0c0cbaed21b16d289ebd9e7f053cfde4ccf6e7ce09ab2a6813a949d670790f7ff5ed2722a3cf7a1e9c89e99dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jb.exe
Filesize
196KB

MD5
d9f0d856a12a5b34aa5801f71d930bbc

SHA1
9c4cda360b5b4b4b43c99782afcc159b9710e554

SHA256
fd4c618f459ede2868d1846c50a3996fc874342afd18e264dfcb3725a3712269

SHA512
70b95bd3d1a409ca3dc89e179eced8258ef46d2d52dd8b1f8e9abd1a3496319f0e3c3b7ac0a476440b15ee6a716c5bcc0d479105ee3c12db67bbba90232e336f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhost.exe
Filesize
137KB

MD5
02f1a88947345170ed8f01779baa2645

SHA1
4e2cd34f2f8e6ea4e0fa06ba3de7f539aaf96293

SHA256
0121a9201574d372d625d49f1975fd1c90c2cc871bf06cd1bec9f557e9fa1e3b

SHA512
5b9da92bb3dc3f9c9757dbc9deda51eab33e3d5bd0c4ed54dae8b29453c392149aca240a3e7f34b1b3dacc29680dd5b1cbd97b3509e633c6d3486cbd932ebe75

Download Submit
C:\Users\Admin\AppData\Local\fsfdkygutl
Filesize
19.7MB

MD5
3b8767730efc272fe201c6427ff03f1a

SHA1
b5a3d85cc7c4e9e978e50ca431d301c7ce1d8b56

SHA256
4372caed4dd3e835a240ce53597d958b1dea1c5c71080b357773247b4af54bc4

SHA512
99eac1e74afdd19cad6e90ee62c19f81ec6e0d1b9b48de8bbdb17d17a05ea70df24c7b51673612c6c6e8086fc8bc925953d9279a09d6924f0b4c62c50334cc7a

Download Submit
\??\c:\users\admin\appdata\local\temp\jb.exe
Filesize
196KB

MD5
d9f0d856a12a5b34aa5801f71d930bbc

SHA1
9c4cda360b5b4b4b43c99782afcc159b9710e554

SHA256
fd4c618f459ede2868d1846c50a3996fc874342afd18e264dfcb3725a3712269

SHA512
70b95bd3d1a409ca3dc89e179eced8258ef46d2d52dd8b1f8e9abd1a3496319f0e3c3b7ac0a476440b15ee6a716c5bcc0d479105ee3c12db67bbba90232e336f

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
Filesize
16KB

MD5
bb50b21e70f4f92ee7624c7801d45e55

SHA1
d704aab549c11c239e9700eb34c6175453088ac2

SHA256
ba26c68192155b7bd230aa25f74922c4e382b23721e79fdff0119e444a5fc238

SHA512
8c2aa6236d0a1246ad976dab8ad9f7ff6323753afeede6de3f50f7c2f100188a3737a4c90125eeec8f7122f612f3c4098b83a873aa35c9a66e8713d1b1f14948

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
Filesize
16KB

MD5
bb50b21e70f4f92ee7624c7801d45e55

SHA1
d704aab549c11c239e9700eb34c6175453088ac2

SHA256
ba26c68192155b7bd230aa25f74922c4e382b23721e79fdff0119e444a5fc238

SHA512
8c2aa6236d0a1246ad976dab8ad9f7ff6323753afeede6de3f50f7c2f100188a3737a4c90125eeec8f7122f612f3c4098b83a873aa35c9a66e8713d1b1f14948

Download Submit
\Users\Admin\AppData\Local\Temp\MFC71CHS.exe
Filesize
543KB

MD5
ef3bda86cfc2991018f32092d3b01b25

SHA1
5ddfcfe2ed6fae903473bed84bd96ad83c1c8b15

SHA256
4e0e7d383f30a6f14dd03c01ae74b3cfbe18b980589134e38d96c089fd6d5314

SHA512
8c2d1cbfb4186a8b87cedfe98ca9b35952e13a0c0cbaed21b16d289ebd9e7f053cfde4ccf6e7ce09ab2a6813a949d670790f7ff5ed2722a3cf7a1e9c89e99dcd

Download Submit
\Users\Admin\AppData\Local\Temp\jb.exe
Filesize
196KB

MD5
d9f0d856a12a5b34aa5801f71d930bbc

SHA1
9c4cda360b5b4b4b43c99782afcc159b9710e554

SHA256
fd4c618f459ede2868d1846c50a3996fc874342afd18e264dfcb3725a3712269

SHA512
70b95bd3d1a409ca3dc89e179eced8258ef46d2d52dd8b1f8e9abd1a3496319f0e3c3b7ac0a476440b15ee6a716c5bcc0d479105ee3c12db67bbba90232e336f

Download Submit
\Users\Admin\AppData\Local\Temp\jb.exe
Filesize
196KB

MD5
d9f0d856a12a5b34aa5801f71d930bbc

SHA1
9c4cda360b5b4b4b43c99782afcc159b9710e554

SHA256
fd4c618f459ede2868d1846c50a3996fc874342afd18e264dfcb3725a3712269

SHA512
70b95bd3d1a409ca3dc89e179eced8258ef46d2d52dd8b1f8e9abd1a3496319f0e3c3b7ac0a476440b15ee6a716c5bcc0d479105ee3c12db67bbba90232e336f

Download Submit
\Users\Admin\AppData\Local\Temp\scvhost.exe
Filesize
137KB

MD5
02f1a88947345170ed8f01779baa2645

SHA1
4e2cd34f2f8e6ea4e0fa06ba3de7f539aaf96293

SHA256
0121a9201574d372d625d49f1975fd1c90c2cc871bf06cd1bec9f557e9fa1e3b

SHA512
5b9da92bb3dc3f9c9757dbc9deda51eab33e3d5bd0c4ed54dae8b29453c392149aca240a3e7f34b1b3dacc29680dd5b1cbd97b3509e633c6d3486cbd932ebe75

Download Submit
\Users\Admin\AppData\Local\Temp\scvhost.exe
Filesize
137KB

MD5
02f1a88947345170ed8f01779baa2645

SHA1
4e2cd34f2f8e6ea4e0fa06ba3de7f539aaf96293

SHA256
0121a9201574d372d625d49f1975fd1c90c2cc871bf06cd1bec9f557e9fa1e3b

SHA512
5b9da92bb3dc3f9c9757dbc9deda51eab33e3d5bd0c4ed54dae8b29453c392149aca240a3e7f34b1b3dacc29680dd5b1cbd97b3509e633c6d3486cbd932ebe75

Download Submit
\Users\Admin\AppData\Local\fsfdkygutl
Filesize
19.7MB

MD5
3b8767730efc272fe201c6427ff03f1a

SHA1
b5a3d85cc7c4e9e978e50ca431d301c7ce1d8b56

SHA256
4372caed4dd3e835a240ce53597d958b1dea1c5c71080b357773247b4af54bc4

SHA512
99eac1e74afdd19cad6e90ee62c19f81ec6e0d1b9b48de8bbdb17d17a05ea70df24c7b51673612c6c6e8086fc8bc925953d9279a09d6924f0b4c62c50334cc7a

Download Submit
memory/988-82-0x0000000000000000-mapping.dmp

Download
memory/1064-76-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1064-62-0x0000000000000000-mapping.dmp

Download
memory/1544-83-0x0000000000000000-mapping.dmp

Download
memory/1720-90-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1908-55-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-73-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1908-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1940-58-0x0000000000000000-mapping.dmp

Download
memory/1940-86-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1940-85-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1940-91-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1940-92-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2008-66-0x0000000000000000-mapping.dmp

Download
memory/2008-81-0x0000000073E11000-0x0000000073E13000-memory.dmp

Filesize
8KB

Download
memory/2024-71-0x0000000000000000-mapping.dmp

Download