gh0strat | bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad

Analysis

max time kernel
149s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 10:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe
Size

96KB
MD5

0f909f441471aca918e5c5a9d6303e63
SHA1

61a4bba60e22377b3a4806bbf9e3ecbb61f83f77
SHA256

bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad
SHA512

2644a1b22d8626752e8733c254cba5500767f8d0d3bec488415d549e2ec34230021dadd3c4f60c2e9608b41266d1bb29c24da906a32e1ea74d0293aaf42a79f5
SSDEEP

1536:Z1FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prGoq64Bm:ZbS4jHS8q/3nTzePCwNUh4E9Gl/Bm

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e14-138.dat	family_gh0strat
behavioral2/files/0x0007000000022e14-139.dat	family_gh0strat
behavioral2/memory/2540-140-0x0000000000400000-0x000000000044E2F8-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022e14-141.dat	family_gh0strat
behavioral2/files/0x0007000000022e14-143.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2540	gyubjtbwbq

Loads dropped DLL 3 IoCs

pid	Process
3292	svchost.exe
4992	svchost.exe
1872	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\adasgbuixr	svchost.exe
File created	C:\Windows\SysWOW64\adqxfkcbld	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\achddtkuxo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\aulyxxskkw	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4280	3292	WerFault.exe	81
2080	4992	WerFault.exe	85
2960	1872	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2540	gyubjtbwbq
2540	gyubjtbwbq

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2540	gyubjtbwbq
Token: SeBackupPrivilege	2540	gyubjtbwbq
Token: SeBackupPrivilege	2540	gyubjtbwbq
Token: SeRestorePrivilege	2540	gyubjtbwbq
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeRestorePrivilege	3292	svchost.exe
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeSecurityPrivilege	3292	svchost.exe
Token: SeSecurityPrivilege	3292	svchost.exe
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeSecurityPrivilege	3292	svchost.exe
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeSecurityPrivilege	3292	svchost.exe
Token: SeBackupPrivilege	3292	svchost.exe
Token: SeRestorePrivilege	3292	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeRestorePrivilege	4992	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeSecurityPrivilege	4992	svchost.exe
Token: SeSecurityPrivilege	4992	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeSecurityPrivilege	4992	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeSecurityPrivilege	4992	svchost.exe
Token: SeBackupPrivilege	4992	svchost.exe
Token: SeRestorePrivilege	4992	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeRestorePrivilege	1872	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeSecurityPrivilege	1872	svchost.exe
Token: SeSecurityPrivilege	1872	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeSecurityPrivilege	1872	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeSecurityPrivilege	1872	svchost.exe
Token: SeBackupPrivilege	1872	svchost.exe
Token: SeRestorePrivilege	1872	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 2540	4448	bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe	79
PID 4448 wrote to memory of 2540	4448	bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe	79
PID 4448 wrote to memory of 2540	4448	bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe	79

C:\Users\Admin\AppData\Local\Temp\bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe
"C:\Users\Admin\AppData\Local\Temp\bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- \??\c:\users\admin\appdata\local\gyubjtbwbq
  "C:\Users\Admin\AppData\Local\Temp\bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe" a -sc:\users\admin\appdata\local\temp\bc28ec54bceef8a709ad6493a8434712a3b1512aa2acbf86e0352591169fe8ad.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 948
  2⤵
  - Program crash
  PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3292 -ip 3292
1⤵
PID:4392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1092
  2⤵
  - Program crash
  PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4992 -ip 4992
1⤵
PID:1868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1108
  2⤵
  - Program crash
  PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1872 -ip 1872
1⤵
PID:3752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\iovpy.cc3

Filesize
21.0MB

MD5
ff7e65504023f5010be7080ebf0e9e64

SHA1
d0cf2918d78daa68c6c3e26ee091d2c9f860596b

SHA256
3cfc62e0c2715c18178e9451d07cde2c0fd83d5f0194427b9224947c4a653c1a

SHA512
0b0ceb50d9146a15111c5792cd34e52d5b8020a39a7ab613070e45f7a546c3e5fd483f14b8f842f38a4b3cf837fdf71b32dd0b01b9f6f303dfc118d79e9c192a

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\iovpy.cc3

Filesize
21.0MB

MD5
ff7e65504023f5010be7080ebf0e9e64

SHA1
d0cf2918d78daa68c6c3e26ee091d2c9f860596b

SHA256
3cfc62e0c2715c18178e9451d07cde2c0fd83d5f0194427b9224947c4a653c1a

SHA512
0b0ceb50d9146a15111c5792cd34e52d5b8020a39a7ab613070e45f7a546c3e5fd483f14b8f842f38a4b3cf837fdf71b32dd0b01b9f6f303dfc118d79e9c192a

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\iovpy.cc3

Filesize
21.0MB

MD5
ff7e65504023f5010be7080ebf0e9e64

SHA1
d0cf2918d78daa68c6c3e26ee091d2c9f860596b

SHA256
3cfc62e0c2715c18178e9451d07cde2c0fd83d5f0194427b9224947c4a653c1a

SHA512
0b0ceb50d9146a15111c5792cd34e52d5b8020a39a7ab613070e45f7a546c3e5fd483f14b8f842f38a4b3cf837fdf71b32dd0b01b9f6f303dfc118d79e9c192a

Download Submit
C:\Users\Admin\AppData\Local\gyubjtbwbq

Filesize
25.0MB

MD5
78e29d9aa76897d19c0be214223f9fad

SHA1
ae7a714c56aa422ae17f17b50f93914bc8dd153e

SHA256
a3c30aaa7546b7e6141e4fb5cf4b3e5cfdf28273abe71e0bd2404be59d7c5968

SHA512
0e4287e3e4ff3ca5c6febb9816c8755a91f01a590a51d73a5e76cb66e9b8937ecaf8043d93c7a96d65242778ebad021972ca90ea6368c6a0b50886826331a73b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
201B

MD5
11f09307d8ecb4f8dfd1ca3b1a3a5810

SHA1
3198105c552c0892407c5d3b715d2c1cb9866ace

SHA256
ff495e71252428f6453bf231bf07d95331dca9d82fc89f1c336b483505d771b5

SHA512
ad1d3e6c890d02a953ce701629963ec9dcae69cc3c5f82355a359635eeaae657565f902799938ff1eb808f767f055bd7fca60822579bcbae2f1e05c1c997a9a2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
302B

MD5
594d80487adfa664c7142ec2518308c7

SHA1
4d03d92c330e554ffe9aaeb698b9c57f3627bc48

SHA256
69c866f0330d74b870139cf1cace35fd4cf63b08fefd5ed82b700ecb0184d19b

SHA512
e28ceb867e33cf78ff7d311613b8da2d99682f1f64b57300f24fe9fc5ce474403f60bfba8bff989ce3ca755559fd7eea615ab6709b4e966a3eddfc81a187b104

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\iovpy.cc3

Filesize
21.0MB

MD5
ff7e65504023f5010be7080ebf0e9e64

SHA1
d0cf2918d78daa68c6c3e26ee091d2c9f860596b

SHA256
3cfc62e0c2715c18178e9451d07cde2c0fd83d5f0194427b9224947c4a653c1a

SHA512
0b0ceb50d9146a15111c5792cd34e52d5b8020a39a7ab613070e45f7a546c3e5fd483f14b8f842f38a4b3cf837fdf71b32dd0b01b9f6f303dfc118d79e9c192a

Download Submit
\??\c:\users\admin\appdata\local\gyubjtbwbq

Filesize
25.0MB

MD5
78e29d9aa76897d19c0be214223f9fad

SHA1
ae7a714c56aa422ae17f17b50f93914bc8dd153e

SHA256
a3c30aaa7546b7e6141e4fb5cf4b3e5cfdf28273abe71e0bd2404be59d7c5968

SHA512
0e4287e3e4ff3ca5c6febb9816c8755a91f01a590a51d73a5e76cb66e9b8937ecaf8043d93c7a96d65242778ebad021972ca90ea6368c6a0b50886826331a73b

Download Submit
memory/2540-140-0x0000000000400000-0x000000000044E2F8-memory.dmp

Filesize
312KB

Download
memory/2540-137-0x0000000000400000-0x000000000044E2F8-memory.dmp

Filesize
312KB

Download
memory/4448-132-0x0000000000400000-0x000000000044E2F8-memory.dmp

Filesize
312KB

Download
memory/4448-133-0x0000000000400000-0x000000000044E2F8-memory.dmp

Filesize
312KB

Download