gh0strat | 940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44

Analysis

max time kernel
91s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 05:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe
Size

207KB
MD5

e2421f556df673f2d4839881dbe0487b
SHA1

82c3fbc749d7c8a9758d3b548112e8e694c47025
SHA256

940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44
SHA512

01350d3db0c91c6b2d0ecf2b394b773394d3c763daa7209680932e127def876ef897f01639fac3623345da68e48b770d711e834b303029f16675b3f8c206a59b
SSDEEP

6144:nX3YRz6tdsLebDI/DP0cTBlpznN3PUG9F:XR4LefI/DP0cT377

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022de9-136.dat	family_gh0strat
behavioral2/memory/4960-137-0x0000000000400000-0x0000000000437000-memory.dmp	family_gh0strat
behavioral2/files/0x0003000000022de9-138.dat	family_gh0strat
behavioral2/memory/4924-139-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4960-141-0x0000000000400000-0x0000000000437000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4924	csrsss.exe

Loads dropped DLL 1 IoCs

pid	Process
4924	csrsss.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\370200.vbe	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4912	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1684	4924	WerFault.exe	81

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4912	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	80
PID 4960 wrote to memory of 4912	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	80
PID 4960 wrote to memory of 4912	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	80
PID 4960 wrote to memory of 4924	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	81
PID 4960 wrote to memory of 4924	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	81
PID 4960 wrote to memory of 4924	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	81
PID 4960 wrote to memory of 4588	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	86
PID 4960 wrote to memory of 4588	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	86
PID 4960 wrote to memory of 4588	4960	940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe	86

C:\Users\Admin\AppData\Local\Temp\940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe
"C:\Users\Admin\AppData\Local\Temp\940db716c46b418d57ffe017efb1b1d109e352d9151d83135586d1d6e1677a44.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\sc.exe
  sc config DcomLaunch start= auto
  2⤵
  - Launches sc.exe
  PID:4912
- C:\anquan\csrsss.exe
  C:\anquan\csrsss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 240
    3⤵
    - Program crash
    PID:1684
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe C:\Windows\system32\370200.vbe
  2⤵
  PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4924 -ip 4924
1⤵
PID:356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\370200.vbe

Filesize
1KB

MD5
2fd2165dd941b10f037c297fb29e55b0

SHA1
a5cac864d7db3823776cd87a7f4c33d053c16851

SHA256
798b7093b4504be1a286fc9e47c18b9275d0be0d2004707e8b871f5bca498caf

SHA512
4830a3d717a2179e9441961c549b1ff227048d90995b109d8a36ba8f9f3375e9e66fb6ba5a5ab2768ba4894a1b5c588c42e446b9317ee922ed6a63042eb94bb5

Download Submit
C:\anquan\Common\Utility.dll

Filesize
40.1MB

MD5
c1675d32bdd3ad4c18a1cb165d5f7281

SHA1
663e9e00602daf10dd7c299673ab116c72aa8313

SHA256
39546f12c3dbbe3fba75c5d08c17d50124640020072e43dd96165eed49f4db01

SHA512
55651a9a52255b8dde74de1014a14bf6edda713e343f40ca1ee03965dc69c4110d3dd82722c2859bdd21da775354d6dc079e22bfbae1786b5f7789acb8e2b603

Download Submit
C:\anquan\common\Utility.dll

Filesize
40.1MB

MD5
c1675d32bdd3ad4c18a1cb165d5f7281

SHA1
663e9e00602daf10dd7c299673ab116c72aa8313

SHA256
39546f12c3dbbe3fba75c5d08c17d50124640020072e43dd96165eed49f4db01

SHA512
55651a9a52255b8dde74de1014a14bf6edda713e343f40ca1ee03965dc69c4110d3dd82722c2859bdd21da775354d6dc079e22bfbae1786b5f7789acb8e2b603

Download Submit
C:\anquan\csrsss.exe

Filesize
15KB

MD5
c8c7f7472e5c059cbcc99d1eedd0d1ae

SHA1
10013a17639887f8c8ee2b37ec111352b9102832

SHA256
066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

SHA512
82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

Download Submit
C:\anquan\csrsss.exe

Filesize
15KB

MD5
c8c7f7472e5c059cbcc99d1eedd0d1ae

SHA1
10013a17639887f8c8ee2b37ec111352b9102832

SHA256
066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

SHA512
82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

Download Submit
memory/4924-139-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4960-137-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4960-141-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download