gh0strat | 22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03

General

Target

22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe
Size

96KB
MD5

143d616b1ba8dc45a2a4d506b2365ec7
SHA1

0e7569741b996a7ad72e4175025a69205712a775
SHA256

22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03
SHA512

947e789a37db4b692157c1fb409a763353dbb6234cd1c53a530253ffd4936413d47e3d2c2d7248db3c78ec9680e96111e39c6b8776dd52721b6a058bac2d056f
SSDEEP

1536:gcFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prbrJRlRjdCQ35HFP:gOS4jHS8q/3nTzePCwNUh4E9bvfjwiFP

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
\??\c:\programdata\application data\storm\update\%sessionname%\eocol.cc3	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3	family_gh0strat
behavioral2/memory/4672-139-0x0000000000400000-0x000000000044E354-memory.dmp	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

intwtluvic

pid process

4672 intwtluvic
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

1368 svchost.exe
3792 svchost.exe
1776 svchost.exe

pid	process
4672	intwtluvic

pid	process
1368	svchost.exe
3792	svchost.exe
1776	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dcihcehmdq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dlykofnfce	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dtejvrxvck	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4560 1368 WerFault.exe svchost.exe
332 3792 WerFault.exe svchost.exe
2396 1776 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

intwtluvic

pid process

4672 intwtluvic
4672 intwtluvic

pid	pid_target	process	target process
4560	1368	WerFault.exe	svchost.exe
332	3792	WerFault.exe	svchost.exe
2396	1776	WerFault.exe	svchost.exe

pid	process
4672	intwtluvic
4672	intwtluvic

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

intwtluvicsvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	4672	intwtluvic
Token: SeBackupPrivilege	4672	intwtluvic
Token: SeBackupPrivilege	4672	intwtluvic
Token: SeRestorePrivilege	4672	intwtluvic
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeRestorePrivilege	1368	svchost.exe
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeSecurityPrivilege	1368	svchost.exe
Token: SeSecurityPrivilege	1368	svchost.exe
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeSecurityPrivilege	1368	svchost.exe
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeSecurityPrivilege	1368	svchost.exe
Token: SeBackupPrivilege	1368	svchost.exe
Token: SeRestorePrivilege	1368	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeRestorePrivilege	3792	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeSecurityPrivilege	3792	svchost.exe
Token: SeSecurityPrivilege	3792	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeSecurityPrivilege	3792	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeSecurityPrivilege	3792	svchost.exe
Token: SeBackupPrivilege	3792	svchost.exe
Token: SeRestorePrivilege	3792	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeRestorePrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeSecurityPrivilege	1776	svchost.exe
Token: SeBackupPrivilege	1776	svchost.exe
Token: SeRestorePrivilege	1776	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe

description	pid	process	target process
PID 992 wrote to memory of 4672	992	22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe	intwtluvic
PID 992 wrote to memory of 4672	992	22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe	intwtluvic
PID 992 wrote to memory of 4672	992	22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe	intwtluvic

C:\Users\Admin\AppData\Local\Temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe
"C:\Users\Admin\AppData\Local\Temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

\??\c:\users\admin\appdata\local\intwtluvic
"C:\Users\Admin\AppData\Local\Temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe" a -sc:\users\admin\appdata\local\temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 868
2⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1368 -ip 1368
1⤵
PID:1608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1112
2⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3792 -ip 3792
1⤵
PID:3132

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1056
2⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1776 -ip 1776
1⤵
PID:3300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3
Filesize
20.1MB

MD5
2ed6ac1f95fb26fccbe1e11940c7a531

SHA1
2de6a0e35727ad20c6468acc85303f46b1f323b7

SHA256
df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0

SHA512
afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3
Filesize
20.1MB

MD5
2ed6ac1f95fb26fccbe1e11940c7a531

SHA1
2de6a0e35727ad20c6468acc85303f46b1f323b7

SHA256
df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0

SHA512
afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3
Filesize
20.1MB

MD5
2ed6ac1f95fb26fccbe1e11940c7a531

SHA1
2de6a0e35727ad20c6468acc85303f46b1f323b7

SHA256
df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0

SHA512
afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876

Download Submit
C:\Users\Admin\AppData\Local\intwtluvic
Filesize
22.8MB

MD5
229575d7ad4e8e49190b06c01f9f8646

SHA1
a11877a33d284309fc0cb939181a84d31d8ae780

SHA256
32976c9f023eb2da3ea23f83d31432bbc6db71020d4048fc021b0cc00bf93524

SHA512
69baccae65fc29ce4b0973b547965a5cf579fdb4601c23f48d7b2638167271c646cc3f0f5add700f84b6f2d7750cbc4f38b98c9090b117600349e13be40d4085

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
204B

MD5
6259d97901a73e77dd4c12c525726e68

SHA1
bd64bb6c8192572a03e6bc9644aee6cf7a606bb9

SHA256
d0a3749c6287c0a35f524f272c688a7895817feabd0767df184c9a70282408a3

SHA512
8e7cad2dbdba4005d93daa43b43af98ad1fa83b8af9aa6ac15a94ae561f86813d86688df119e76b836bb881c704414d3fb2af507fb9bf5174cb7dd0fdbef1802

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
307B

MD5
bfa91b3a88cc6a6bea830937e11917c2

SHA1
7d5c4403f4d26a0cfaf963c4a627779ea1ba2ddf

SHA256
2595247f9b53d2f6ecea2775fdba9148e9a0b2fcf6db368163a5b43100d7e9d1

SHA512
7d4d460d14ae04fca62910e9b9e393b38cfde11f8c3e49324dc65c04d61ebe6b0976f90771cb6b2906bef27f70349beeb1b5a934cb517f518a5ea652a965ee2e

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\eocol.cc3
Filesize
20.1MB

MD5
2ed6ac1f95fb26fccbe1e11940c7a531

SHA1
2de6a0e35727ad20c6468acc85303f46b1f323b7

SHA256
df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0

SHA512
afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876

Download Submit
\??\c:\users\admin\appdata\local\intwtluvic
Filesize
22.8MB

MD5
229575d7ad4e8e49190b06c01f9f8646

SHA1
a11877a33d284309fc0cb939181a84d31d8ae780

SHA256
32976c9f023eb2da3ea23f83d31432bbc6db71020d4048fc021b0cc00bf93524

SHA512
69baccae65fc29ce4b0973b547965a5cf579fdb4601c23f48d7b2638167271c646cc3f0f5add700f84b6f2d7750cbc4f38b98c9090b117600349e13be40d4085

Download Submit
memory/992-132-0x0000000000400000-0x000000000044E354-memory.dmp

Filesize
312KB

Download
memory/4672-133-0x0000000000000000-mapping.dmp

Download
memory/4672-136-0x0000000000400000-0x000000000044E354-memory.dmp

Filesize
312KB

Download
memory/4672-139-0x0000000000400000-0x000000000044E354-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads