gh0strat | 6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1

General

Target

6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe
Size

96KB
MD5

fe46056fc8bd9d648a29e076650a2bdf
SHA1

d8e087bf82884fd900fa6bab3019e73cf7ebf213
SHA256

6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1
SHA512

1ea0fa142d386e2007b57c0335b18be583b624aebee187e86102d943c65631977c8c26fb02ef8c248445d6166bb0939edaaa4b579d1a1f15a50a9e8c9a017d4b
SSDEEP

3072:iOS4jHS8q/3nTzePCwNUh4E90yp9w7RUTV/LUz:ih428q/nTzePCwG70ywSS

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
\??\c:\programdata\application data\storm\update\%sessionname%\ifpnf.cc3	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3	family_gh0strat
behavioral2/memory/4740-140-0x0000000000400000-0x000000000044E29C-memory.dmp	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3	family_gh0strat
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

efsknwbmrg

pid process

4740 efsknwbmrg
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

5004 svchost.exe
212 svchost.exe
4360 svchost.exe

pid	process
4740	efsknwbmrg

pid	process
5004	svchost.exe
212	svchost.exe
4360	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\eeelepbbnr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\eeurdyitad	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\euwdtfnpbt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1396 5004 WerFault.exe svchost.exe
3884 212 WerFault.exe svchost.exe
3564 4360 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

efsknwbmrg

pid process

4740 efsknwbmrg
4740 efsknwbmrg

pid	pid_target	process	target process
1396	5004	WerFault.exe	svchost.exe
3884	212	WerFault.exe	svchost.exe
3564	4360	WerFault.exe	svchost.exe

pid	process
4740	efsknwbmrg
4740	efsknwbmrg

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

efsknwbmrgsvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	4740	efsknwbmrg
Token: SeBackupPrivilege	4740	efsknwbmrg
Token: SeBackupPrivilege	4740	efsknwbmrg
Token: SeRestorePrivilege	4740	efsknwbmrg
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeRestorePrivilege	5004	svchost.exe
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeSecurityPrivilege	5004	svchost.exe
Token: SeSecurityPrivilege	5004	svchost.exe
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeSecurityPrivilege	5004	svchost.exe
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeSecurityPrivilege	5004	svchost.exe
Token: SeBackupPrivilege	5004	svchost.exe
Token: SeRestorePrivilege	5004	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeRestorePrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeSecurityPrivilege	212	svchost.exe
Token: SeBackupPrivilege	212	svchost.exe
Token: SeRestorePrivilege	212	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeRestorePrivilege	4360	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeSecurityPrivilege	4360	svchost.exe
Token: SeSecurityPrivilege	4360	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeSecurityPrivilege	4360	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeSecurityPrivilege	4360	svchost.exe
Token: SeBackupPrivilege	4360	svchost.exe
Token: SeRestorePrivilege	4360	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe

description	pid	process	target process
PID 2364 wrote to memory of 4740	2364	6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe	efsknwbmrg
PID 2364 wrote to memory of 4740	2364	6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe	efsknwbmrg
PID 2364 wrote to memory of 4740	2364	6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe	efsknwbmrg

C:\Users\Admin\AppData\Local\Temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe
"C:\Users\Admin\AppData\Local\Temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364

\??\c:\users\admin\appdata\local\efsknwbmrg
"C:\Users\Admin\AppData\Local\Temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe" a -sc:\users\admin\appdata\local\temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 872
2⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5004 -ip 5004
1⤵
PID:4660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 880
2⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 212 -ip 212
1⤵
PID:536

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 888
2⤵
- Program crash
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4360 -ip 4360
1⤵
PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3
Filesize
20.1MB

MD5
ef5c0f76915d5763205ee9eb3726842b

SHA1
ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b

SHA256
08f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af

SHA512
5f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3
Filesize
20.1MB

MD5
ef5c0f76915d5763205ee9eb3726842b

SHA1
ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b

SHA256
08f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af

SHA512
5f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3
Filesize
20.1MB

MD5
ef5c0f76915d5763205ee9eb3726842b

SHA1
ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b

SHA256
08f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af

SHA512
5f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b

Download Submit
C:\Users\Admin\AppData\Local\efsknwbmrg
Filesize
24.8MB

MD5
68f5705d340b73be7542cc2e0ea5d1fb

SHA1
14b7410e820354b26980b75d1544bc7f495d4cff

SHA256
2b0e13c88e93efa683e8852adb55c2d1808d9e455acef34ebdaf765d1b50717b

SHA512
6f2d88a81afc9dfc21e9d57ffc233215e521c9bd2a617ca7e827c6adab0f7ae7048695333f25022113339e568f97842059b68e7f773fd542677d2e40b0eb1615

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
204B

MD5
867076513d2c20c71cd11a97fe99fb50

SHA1
1ca804a949c6ec8394d0dc5d92de298f0aff3ea2

SHA256
e3269edd40d5d49db93d73a272bdde6a8882d107ca50798c15eba1864d5fa435

SHA512
b2757aab6ddb2fc8f9be443efe2e50c6c1aab8ca0c0504291f56eea4680bfc2d25b68fe40324052c53518befc91fca96aadf23ecad81142b0b16a0eae177a2c7

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
306B

MD5
9291a75c26d98ee09aa7be2ec2368847

SHA1
95aae8ce5cb57ef34d51996a49376c4c0bdf4605

SHA256
1290f48bb329f167f8beb969a077c663f86e28dfb3daa665e2a771f85dfd5a0d

SHA512
7e2e5e6391123550fc25c551bb4b8bd4af3cb74f872882c17f57c2f2f6d1b400f9d1b0c9dbfae3de4534e061eb6d8f126bf118f780044c20e47c4d259980593b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\ifpnf.cc3
Filesize
20.1MB

MD5
ef5c0f76915d5763205ee9eb3726842b

SHA1
ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b

SHA256
08f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af

SHA512
5f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b

Download Submit
\??\c:\users\admin\appdata\local\efsknwbmrg
Filesize
24.8MB

MD5
68f5705d340b73be7542cc2e0ea5d1fb

SHA1
14b7410e820354b26980b75d1544bc7f495d4cff

SHA256
2b0e13c88e93efa683e8852adb55c2d1808d9e455acef34ebdaf765d1b50717b

SHA512
6f2d88a81afc9dfc21e9d57ffc233215e521c9bd2a617ca7e827c6adab0f7ae7048695333f25022113339e568f97842059b68e7f773fd542677d2e40b0eb1615

Download Submit
memory/2364-132-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/2364-135-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/4740-140-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/4740-137-0x0000000000400000-0x000000000044E29C-memory.dmp

Filesize
312KB

Download
memory/4740-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads