gh0strat | 876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac

Analysis

max time kernel
159s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe
Size

95KB
MD5

6b25675226436d12caaa3d9fa2d76b81
SHA1

784ca8d782bd88313c8e57dadf305f9babb227fd
SHA256

876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac
SHA512

506cf7464c829bb68f43742bfff8b2dc279849443811b7c0480c654fab5ad262dda77dc4e147105126bd949bfa7814f36ff75d61a99cabbaf6e3dbe29fa5b6c0
SSDEEP

1536:tTFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prXGrvEQkNB5HYa:ttS4jHS8q/3nTzePCwNUh4E92rMQkf5T

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e21-137.dat	family_gh0strat
behavioral2/files/0x0007000000022e21-138.dat	family_gh0strat
behavioral2/memory/4960-139-0x0000000000400000-0x000000000044E328-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022e21-140.dat	family_gh0strat
behavioral2/files/0x0007000000022e21-142.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4960	hhgxqxxmuv

Loads dropped DLL 3 IoCs

pid	Process
4848	svchost.exe
4144	svchost.exe
228	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qmvoyvqkgq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qcvqlerltp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qgmpaovdqf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qfaktaybry	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4128	4848	WerFault.exe	82
1104	4144	WerFault.exe	87
3976	228	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4960	hhgxqxxmuv
4960	hhgxqxxmuv

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeRestorePrivilege	4960	hhgxqxxmuv
Token: SeBackupPrivilege	4960	hhgxqxxmuv
Token: SeBackupPrivilege	4960	hhgxqxxmuv
Token: SeRestorePrivilege	4960	hhgxqxxmuv
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeRestorePrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeSecurityPrivilege	4848	svchost.exe
Token: SeSecurityPrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeSecurityPrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeSecurityPrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4848	svchost.exe
Token: SeRestorePrivilege	4848	svchost.exe
Token: SeBackupPrivilege	4144	svchost.exe
Token: SeRestorePrivilege	4144	svchost.exe
Token: SeBackupPrivilege	4144	svchost.exe
Token: SeBackupPrivilege	4144	svchost.exe
Token: SeSecurityPrivilege	4144	svchost.exe
Token: SeSecurityPrivilege	4144	svchost.exe
Token: SeBackupPrivilege	4144	svchost.exe
Token: SeBackupPrivilege	4144	svchost.exe
Token: SeSecurityPrivilege	4144	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4960	1620	876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe	81
PID 1620 wrote to memory of 4960	1620	876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe	81
PID 1620 wrote to memory of 4960	1620	876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe	81

C:\Users\Admin\AppData\Local\Temp\876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe
"C:\Users\Admin\AppData\Local\Temp\876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- \??\c:\users\admin\appdata\local\hhgxqxxmuv
  "C:\Users\Admin\AppData\Local\Temp\876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe" a -sc:\users\admin\appdata\local\temp\876f83b31273b7ed38df868d5e94aa7f5be9b55fe7a06d2fa723c44223ce40ac.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 872
  2⤵
  - Program crash
  PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848
1⤵
PID:640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1096
  2⤵
  - Program crash
  PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4144 -ip 4144
1⤵
PID:4252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1104
  2⤵
  - Program crash
  PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 228 -ip 228
1⤵
PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\rivtn.cc3

Filesize
20.1MB

MD5
0e23205bc16317002c63a9f536db15ac

SHA1
9fbf5670884684039e8448270d7e92c8c526fef9

SHA256
ab6fda162d38467de771218cf9df8f09dd903cf83d4f721279ace7a7ce20bf3e

SHA512
db0093505c1f4f420df10cce144120edda93546cb753bcc6c888a2db07597db15420558569c99574f0be707763cc22699ebb59b23bfbbf4281cfb6c71b27229b

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\rivtn.cc3

Filesize
20.1MB

MD5
0e23205bc16317002c63a9f536db15ac

SHA1
9fbf5670884684039e8448270d7e92c8c526fef9

SHA256
ab6fda162d38467de771218cf9df8f09dd903cf83d4f721279ace7a7ce20bf3e

SHA512
db0093505c1f4f420df10cce144120edda93546cb753bcc6c888a2db07597db15420558569c99574f0be707763cc22699ebb59b23bfbbf4281cfb6c71b27229b

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\rivtn.cc3

Filesize
20.1MB

MD5
0e23205bc16317002c63a9f536db15ac

SHA1
9fbf5670884684039e8448270d7e92c8c526fef9

SHA256
ab6fda162d38467de771218cf9df8f09dd903cf83d4f721279ace7a7ce20bf3e

SHA512
db0093505c1f4f420df10cce144120edda93546cb753bcc6c888a2db07597db15420558569c99574f0be707763cc22699ebb59b23bfbbf4281cfb6c71b27229b

Download Submit
C:\Users\Admin\AppData\Local\hhgxqxxmuv

Filesize
21.8MB

MD5
dd7733893b34678164c4f5051f8a226b

SHA1
57c6658d0c6cc5539320b74a0e285f1dd3a58196

SHA256
2bd49c56e6d54fee5c57dae7baf1aca580b88ce858f69e0d27919a71deac9dff

SHA512
337661b47bdc4c64ca6896811d0f89d003d94d368956e4c902f1e437f9fb9bb058a0bf697aff7326cf8692e773a2c40cf3390debe1abc6dbd6f8767dd2841efc

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
206B

MD5
f0858fd6f5ee8ecbeb9d140a61188281

SHA1
9c5ad1c3c29cab752025674da8daefaffffd82d8

SHA256
289102bc72e9178b014e6e9c78942ec8fe849b352e3635cb290ac44d218ca6ab

SHA512
646e5d05661ccb8770355fc87f92b190100a9821c5033731bff89529aeb72f26c60b0e1f2afb621db7853d4bd5fb9ee915ede76dc7d943b435411e59f2fce25e

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
309B

MD5
e373de8b768064bd48568963808e1f4b

SHA1
b8d372870fde53a936cd399be3a77209735af7cd

SHA256
018113d395374a54375b8a10fcc3f5f5388ba596582df6c0997f561c20ddead1

SHA512
a862588ce1f1eab0b503219bfe44fd3006c69a41fb86073ee1820e410fc4dbdd4ffb4408f080a77fdaaff403438450a80a33d513e9f8f99cc99adb5a82390af8

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\rivtn.cc3

Filesize
20.1MB

MD5
0e23205bc16317002c63a9f536db15ac

SHA1
9fbf5670884684039e8448270d7e92c8c526fef9

SHA256
ab6fda162d38467de771218cf9df8f09dd903cf83d4f721279ace7a7ce20bf3e

SHA512
db0093505c1f4f420df10cce144120edda93546cb753bcc6c888a2db07597db15420558569c99574f0be707763cc22699ebb59b23bfbbf4281cfb6c71b27229b

Download Submit
\??\c:\users\admin\appdata\local\hhgxqxxmuv

Filesize
21.8MB

MD5
dd7733893b34678164c4f5051f8a226b

SHA1
57c6658d0c6cc5539320b74a0e285f1dd3a58196

SHA256
2bd49c56e6d54fee5c57dae7baf1aca580b88ce858f69e0d27919a71deac9dff

SHA512
337661b47bdc4c64ca6896811d0f89d003d94d368956e4c902f1e437f9fb9bb058a0bf697aff7326cf8692e773a2c40cf3390debe1abc6dbd6f8767dd2841efc

Download Submit
memory/1620-132-0x0000000000400000-0x000000000044E328-memory.dmp

Filesize
312KB

Download
memory/4960-133-0x0000000000000000-mapping.dmp

Download
memory/4960-136-0x0000000000400000-0x000000000044E328-memory.dmp

Filesize
312KB

Download
memory/4960-139-0x0000000000400000-0x000000000044E328-memory.dmp

Filesize
312KB

Download