gh0strat | f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe
Size

196KB
MD5

d8ef06a961dec847b5ab0c1efe78453b
SHA1

bd3ef64a8c65c90982514aea936a20ad4511e50b
SHA256

f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418
SHA512

927937a9c4ab69ce21ff455300863cbca8e88262ec70c326c0ae1c0689d851a986450968e5cf04892d4dd6dbbc14d76676a35c556b844905b4f02b518f41d9d0
SSDEEP

3072:Vgmn0avOvtYz4nqSioDXx4uE9w2qbMUeZPgrQ/O/46u4M15m:+w0avOvtYSiod4uYzqAvZd/246qvm

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022de4-135.dat	family_gh0strat
behavioral2/files/0x0003000000022de4-136.dat	family_gh0strat
behavioral2/files/0x0003000000022de4-137.dat	family_gh0strat
behavioral2/files/0x0003000000022de4-139.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4492	llxcccivme

Loads dropped DLL 3 IoCs

pid	Process
1520	svchost.exe
2912	svchost.exe
2088	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\aiwssuqawp	svchost.exe
File created	C:\Windows\SysWOW64\aqcryhbqxv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\aygpgtkhxc	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\aajakrocku	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4872	1520	WerFault.exe	87
4896	2912	WerFault.exe	92
4632	2088	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	llxcccivme
4492	llxcccivme

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4492	llxcccivme
Token: SeBackupPrivilege	4492	llxcccivme
Token: SeBackupPrivilege	4492	llxcccivme
Token: SeRestorePrivilege	4492	llxcccivme
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeRestorePrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeSecurityPrivilege	1520	svchost.exe
Token: SeSecurityPrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeSecurityPrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeSecurityPrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1520	svchost.exe
Token: SeRestorePrivilege	1520	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeRestorePrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeSecurityPrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2912	svchost.exe
Token: SeRestorePrivilege	2912	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeRestorePrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeSecurityPrivilege	2088	svchost.exe
Token: SeSecurityPrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeSecurityPrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeSecurityPrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeRestorePrivilege	2088	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4492	2864	f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe	82
PID 2864 wrote to memory of 4492	2864	f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe	82
PID 2864 wrote to memory of 4492	2864	f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe	82

C:\Users\Admin\AppData\Local\Temp\f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe
"C:\Users\Admin\AppData\Local\Temp\f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- \??\c:\users\admin\appdata\local\llxcccivme
  "C:\Users\Admin\AppData\Local\Temp\f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe" a -sc:\users\admin\appdata\local\temp\f085e6f775ed9fc79f315e2ea1dc165bb2b888a75501bf46431bec8bd3380418.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 812
  2⤵
  - Program crash
  PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1520 -ip 1520
1⤵
PID:3244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 896
  2⤵
  - Program crash
  PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2912 -ip 2912
1⤵
PID:476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1048
  2⤵
  - Program crash
  PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2088 -ip 2088
1⤵
PID:4568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\xqrpn.cc3

Filesize
24.0MB

MD5
1f8f3efd813c18af5f310b738bad8430

SHA1
506316fc3b50aeda60d77cb9a6fde8db2ac46f86

SHA256
c7f65f5f766b840bb140c0cfd69087ded1f545748b8e432be20a418578b40c58

SHA512
7bde146e8438644b8d61165e8f1653e23def96efa88a095132eaf17e920e4f521b4beb9923308575e833901f348ebcdbd59b1e56365c2d55e3b8f4fa9abe5614

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xqrpn.cc3

Filesize
24.0MB

MD5
1f8f3efd813c18af5f310b738bad8430

SHA1
506316fc3b50aeda60d77cb9a6fde8db2ac46f86

SHA256
c7f65f5f766b840bb140c0cfd69087ded1f545748b8e432be20a418578b40c58

SHA512
7bde146e8438644b8d61165e8f1653e23def96efa88a095132eaf17e920e4f521b4beb9923308575e833901f348ebcdbd59b1e56365c2d55e3b8f4fa9abe5614

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xqrpn.cc3

Filesize
24.0MB

MD5
1f8f3efd813c18af5f310b738bad8430

SHA1
506316fc3b50aeda60d77cb9a6fde8db2ac46f86

SHA256
c7f65f5f766b840bb140c0cfd69087ded1f545748b8e432be20a418578b40c58

SHA512
7bde146e8438644b8d61165e8f1653e23def96efa88a095132eaf17e920e4f521b4beb9923308575e833901f348ebcdbd59b1e56365c2d55e3b8f4fa9abe5614

Download Submit
C:\Users\Admin\AppData\Local\llxcccivme

Filesize
23.0MB

MD5
5b11c5958477b83d4f2a1af645a3bfb5

SHA1
818f5df2a7ac62f5692de1ad9e7ed7226132029d

SHA256
ed676a8bbbaff84d7f30f7be35f2ae42a644ef608ee17aad718bfc90982003af

SHA512
92a30cff31253e4deff41adb83388544a92e5d7cc67bb211e1bc26d10c78df1e8eb8b43a963c9fa679efe80d581ec62c4edeadceb1ca39e377a34b6a350ef9a8

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
206B

MD5
fdd6081b56bc6ec1a71d8c5648c82c41

SHA1
f402ad415e53dd8c5b6bd4f1579968614f17c4d2

SHA256
dc2e4afc77300c84c5972a407c98329ad17c266037de3877f8d620d333d51937

SHA512
a8bb404ed7d13c327246f0e4af34397de81d5ca8d1874c2f65dfa52fd478099ce55579ccb38f18bdc01f2b8d8d3da2339324086bc70d0cacc7ca5dd104756d9e

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
309B

MD5
8d6f17a2c75c5249dcd1978f3b25af5c

SHA1
8ee01a9c87db631bf93f9014fdda9f74fc646501

SHA256
b29fa8b6afa5f3ce32d67475b3afb84d96546ffdd7474371ad6cbeacc49eee25

SHA512
090c5ade52a8f726cb2d8e4a367d258e3cf60c83353f808cac044d07e09030fd6ce13c067ce2686b9a4d955004302e2c1edd81c66fa3f4ddacd55e5476f0c61e

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xqrpn.cc3

Filesize
24.0MB

MD5
1f8f3efd813c18af5f310b738bad8430

SHA1
506316fc3b50aeda60d77cb9a6fde8db2ac46f86

SHA256
c7f65f5f766b840bb140c0cfd69087ded1f545748b8e432be20a418578b40c58

SHA512
7bde146e8438644b8d61165e8f1653e23def96efa88a095132eaf17e920e4f521b4beb9923308575e833901f348ebcdbd59b1e56365c2d55e3b8f4fa9abe5614

Download Submit
\??\c:\users\admin\appdata\local\llxcccivme

Filesize
23.0MB

MD5
5b11c5958477b83d4f2a1af645a3bfb5

SHA1
818f5df2a7ac62f5692de1ad9e7ed7226132029d

SHA256
ed676a8bbbaff84d7f30f7be35f2ae42a644ef608ee17aad718bfc90982003af

SHA512
92a30cff31253e4deff41adb83388544a92e5d7cc67bb211e1bc26d10c78df1e8eb8b43a963c9fa679efe80d581ec62c4edeadceb1ca39e377a34b6a350ef9a8

Download Submit