gh0strat | 7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6

General

Target

7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe
Size

95KB
MD5

f7476fb58982ba61167f4932e396849b
SHA1

04ab56afb2175afb83e7c4b953ef6bf1a7036124
SHA256

7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6
SHA512

fe6362492b29be045008461b14450b2c0f6e131223a38701e6c5fd47821769310fb5a1f10b5c1edba646b5daec57c72d4a0584fdbc9a30f1044e5c81705fa497
SSDEEP

1536:emFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prAp6o521TT:esS4jHS8q/3nTzePCwNUh4E9nT

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
\??\c:\programdata\application data\storm\update\%sessionname%\utelu.cc3	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3	family_gh0strat
behavioral2/memory/4988-139-0x0000000000400000-0x000000000044E240-memory.dmp	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

ktoysvkjnl

pid process

4988 ktoysvkjnl
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

3308 svchost.exe
4560 svchost.exe
3544 svchost.exe

pid	process
4988	ktoysvkjnl

pid	process
3308	svchost.exe
4560	svchost.exe
3544	svchost.exe

Drops file in System32 directory 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cdichtncdh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dubeeygsia	svchost.exe
File created	C:\Windows\SysWOW64\ddgcllpjjg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dabicpislw	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4176 3308 WerFault.exe svchost.exe
212 4560 WerFault.exe svchost.exe
4948 3544 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ktoysvkjnl

pid process

4988 ktoysvkjnl
4988 ktoysvkjnl

pid	pid_target	process	target process
4176	3308	WerFault.exe	svchost.exe
212	4560	WerFault.exe	svchost.exe
4948	3544	WerFault.exe	svchost.exe

pid	process
4988	ktoysvkjnl
4988	ktoysvkjnl

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

ktoysvkjnlsvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	4988	ktoysvkjnl
Token: SeBackupPrivilege	4988	ktoysvkjnl
Token: SeBackupPrivilege	4988	ktoysvkjnl
Token: SeRestorePrivilege	4988	ktoysvkjnl
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeRestorePrivilege	3308	svchost.exe
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeSecurityPrivilege	3308	svchost.exe
Token: SeSecurityPrivilege	3308	svchost.exe
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeSecurityPrivilege	3308	svchost.exe
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeSecurityPrivilege	3308	svchost.exe
Token: SeBackupPrivilege	3308	svchost.exe
Token: SeRestorePrivilege	3308	svchost.exe
Token: SeBackupPrivilege	4560	svchost.exe
Token: SeRestorePrivilege	4560	svchost.exe
Token: SeBackupPrivilege	4560	svchost.exe
Token: SeBackupPrivilege	4560	svchost.exe
Token: SeSecurityPrivilege	4560	svchost.exe
Token: SeSecurityPrivilege	4560	svchost.exe
Token: SeBackupPrivilege	4560	svchost.exe
Token: SeBackupPrivilege	4560	svchost.exe
Token: SeSecurityPrivilege	4560	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeRestorePrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeSecurityPrivilege	3544	svchost.exe
Token: SeSecurityPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeBackupPrivilege	3544	svchost.exe
Token: SeSecurityPrivilege	3544	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe

description	pid	process	target process
PID 704 wrote to memory of 4988	704	7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe	ktoysvkjnl
PID 704 wrote to memory of 4988	704	7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe	ktoysvkjnl
PID 704 wrote to memory of 4988	704	7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe	ktoysvkjnl

C:\Users\Admin\AppData\Local\Temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe
"C:\Users\Admin\AppData\Local\Temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:704

\??\c:\users\admin\appdata\local\ktoysvkjnl
"C:\Users\Admin\AppData\Local\Temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe" a -sc:\users\admin\appdata\local\temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1012
2⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3308 -ip 3308
1⤵
PID:4628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1116
2⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4560 -ip 4560
1⤵
PID:112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 800
2⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3544 -ip 3544
1⤵
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3
Filesize
23.1MB

MD5
ae66259783164199ce386eda14489d49

SHA1
a6abf6c258393435a1d43588fb17d2604b519dfb

SHA256
07f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea

SHA512
ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3
Filesize
23.1MB

MD5
ae66259783164199ce386eda14489d49

SHA1
a6abf6c258393435a1d43588fb17d2604b519dfb

SHA256
07f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea

SHA512
ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3
Filesize
23.1MB

MD5
ae66259783164199ce386eda14489d49

SHA1
a6abf6c258393435a1d43588fb17d2604b519dfb

SHA256
07f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea

SHA512
ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6

Download Submit
C:\Users\Admin\AppData\Local\ktoysvkjnl
Filesize
24.2MB

MD5
f3956f8f480817b444c63302c95c3a23

SHA1
93ab1a438173e31daebfb43ae32d37ba212e58b8

SHA256
c89989b53db9a80fe86a21a63bf71d95cf2672e4227b46e20f1c47f629ef8c40

SHA512
55e9064bb9503c928c07f69f76b10dce9334cfeb91b6b643a91369fb3ad804b5bb5b41bd81ef112bd16927fbdc803982ca86e27976c1c10d620b4ab5a1153cd6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
206B

MD5
0d0cdf36bde076b59878dedca87269d5

SHA1
4c84f6531bd8c40fbc10c36638e019c9613da91b

SHA256
d22ecdae9d8a5444a9ddd7e259b2a5e140c4c9cec6a7fec062cccf6709dcf703

SHA512
e7dd4b3e7550f13f9e233787a61f49de2345e465d00fdea1ece809b9de1e54c957bb37ebdceee137095df4a6d748b4fd5689d64334a20b188d5cb525de2380c0

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
308B

MD5
5b35d402e16be2860bdc1fc4c40ab8f4

SHA1
58751eea800ca45f70626d3e335c44411bdedaa1

SHA256
28bab3264e38e3cee41547e40dda3d8b9b7d93b0f369c66134437699870bfd1f

SHA512
52fc8307a9845768fe3f743f266ef8325b6370e45185bada3c3c68c9a862d0f266ff8dfed5e8cef157df3c70ba070046d5a5450b5a391f2b95a2599f30ea34ca

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\utelu.cc3
Filesize
23.1MB

MD5
ae66259783164199ce386eda14489d49

SHA1
a6abf6c258393435a1d43588fb17d2604b519dfb

SHA256
07f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea

SHA512
ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6

Download Submit
\??\c:\users\admin\appdata\local\ktoysvkjnl
Filesize
24.2MB

MD5
f3956f8f480817b444c63302c95c3a23

SHA1
93ab1a438173e31daebfb43ae32d37ba212e58b8

SHA256
c89989b53db9a80fe86a21a63bf71d95cf2672e4227b46e20f1c47f629ef8c40

SHA512
55e9064bb9503c928c07f69f76b10dce9334cfeb91b6b643a91369fb3ad804b5bb5b41bd81ef112bd16927fbdc803982ca86e27976c1c10d620b4ab5a1153cd6

Download Submit
memory/704-132-0x0000000000400000-0x000000000044E240-memory.dmp

Filesize
312KB

Download
memory/4988-133-0x0000000000000000-mapping.dmp

Download
memory/4988-136-0x0000000000400000-0x000000000044E240-memory.dmp

Filesize
312KB

Download
memory/4988-139-0x0000000000400000-0x000000000044E240-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads