gh0strat | 74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 07:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe
Size

96KB
MD5

fa761ccf7c902b8b4aed9697794ae8e2
SHA1

2421632063654ea09e4f2f0a850aec6826749381
SHA256

74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986
SHA512

e087de5aa28d8ef38327bcaa2ba457f3fabc886d34de7eba029d0e35c5dc8abce5c74208e0da3679bccf18ec992b68403c181c3548ff8f58135674bd5e5df90d
SSDEEP

1536:7AFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prJtad95V93:7yS4jHS8q/3nTzePCwNUh4E9ITV93

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022dc3-137.dat	family_gh0strat
behavioral2/files/0x0004000000022dc3-138.dat	family_gh0strat
behavioral2/memory/3972-139-0x0000000000400000-0x000000000044F000-memory.dmp	family_gh0strat
behavioral2/files/0x0004000000022dc3-140.dat	family_gh0strat
behavioral2/files/0x0004000000022dc3-142.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
3972	eiqtxbtpps

Loads dropped DLL 3 IoCs

pid	Process
4860	svchost.exe
4660	svchost.exe
1904	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\fremvatthh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\faikcmdkhn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\fjynonjdgb	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2012	4860	WerFault.exe	81
1280	4660	WerFault.exe	85
4772	1904	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	eiqtxbtpps
3972	eiqtxbtpps

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3972	eiqtxbtpps
Token: SeBackupPrivilege	3972	eiqtxbtpps
Token: SeBackupPrivilege	3972	eiqtxbtpps
Token: SeRestorePrivilege	3972	eiqtxbtpps
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeRestorePrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeSecurityPrivilege	4860	svchost.exe
Token: SeSecurityPrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeSecurityPrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeSecurityPrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4860	svchost.exe
Token: SeRestorePrivilege	4860	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeRestorePrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeSecurityPrivilege	4660	svchost.exe
Token: SeSecurityPrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeSecurityPrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeSecurityPrivilege	4660	svchost.exe
Token: SeBackupPrivilege	4660	svchost.exe
Token: SeRestorePrivilege	4660	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeRestorePrivilege	1904	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeSecurityPrivilege	1904	svchost.exe
Token: SeSecurityPrivilege	1904	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeSecurityPrivilege	1904	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeSecurityPrivilege	1904	svchost.exe
Token: SeBackupPrivilege	1904	svchost.exe
Token: SeRestorePrivilege	1904	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3972	1608	74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe	80
PID 1608 wrote to memory of 3972	1608	74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe	80
PID 1608 wrote to memory of 3972	1608	74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe	80

C:\Users\Admin\AppData\Local\Temp\74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe
"C:\Users\Admin\AppData\Local\Temp\74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- \??\c:\users\admin\appdata\local\eiqtxbtpps
  "C:\Users\Admin\AppData\Local\Temp\74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe" a -sc:\users\admin\appdata\local\temp\74cf64cb6d93c9aa8506454620ae73ccf9b648f6f0d3af984d5947452ee03986.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 952
  2⤵
  - Program crash
  PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4860 -ip 4860
1⤵
PID:1424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 724
  2⤵
  - Program crash
  PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4660 -ip 4660
1⤵
PID:3392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1116
  2⤵
  - Program crash
  PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1904 -ip 1904
1⤵
PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\rjftw.cc3

Filesize
20.1MB

MD5
31f3b2dd551e25e48e3042643b372008

SHA1
78276e3e373f8f93e46df315b8a568a2584a51f3

SHA256
c980778a21730dd9bb3071163e78350590674a03af7524fc1dd0f79999b154f1

SHA512
3124a63e69a039a3ce55cde3b0319df31c6be32d943f96fdd9971e961429583e536e198132c7e88f0658203855bf5c4c2a302388880fe025d2e0a74a64f72e84

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\rjftw.cc3

Filesize
20.1MB

MD5
31f3b2dd551e25e48e3042643b372008

SHA1
78276e3e373f8f93e46df315b8a568a2584a51f3

SHA256
c980778a21730dd9bb3071163e78350590674a03af7524fc1dd0f79999b154f1

SHA512
3124a63e69a039a3ce55cde3b0319df31c6be32d943f96fdd9971e961429583e536e198132c7e88f0658203855bf5c4c2a302388880fe025d2e0a74a64f72e84

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\rjftw.cc3

Filesize
20.1MB

MD5
31f3b2dd551e25e48e3042643b372008

SHA1
78276e3e373f8f93e46df315b8a568a2584a51f3

SHA256
c980778a21730dd9bb3071163e78350590674a03af7524fc1dd0f79999b154f1

SHA512
3124a63e69a039a3ce55cde3b0319df31c6be32d943f96fdd9971e961429583e536e198132c7e88f0658203855bf5c4c2a302388880fe025d2e0a74a64f72e84

Download Submit
C:\Users\Admin\AppData\Local\eiqtxbtpps

Filesize
22.7MB

MD5
06da0e2d40431dcb146720e726cd4d96

SHA1
85e27d8a0b98076ac6dfdf729e60af9c5d827889

SHA256
59c39ffa49c00ad6eb7797a341a2387599bc022bcf1316ea3d40de37615fc3ac

SHA512
ac83ca4699da639bf9e79c2b2fe77df839d2fa7d39f05e6429f68ea61ed6a384f03d1032fe1470ae9eecee6bbea5f41cb348f73cb964e5e225dca6d0790d0590

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
206B

MD5
a54c0247265363ab1dd4dd177ab67dc7

SHA1
7cc6e816905925eaf2ce2db6d57bde784e22364c

SHA256
a156e3701bbeba05741d896ca26e498b233a0620a07b9c8b98c0980ad3485bc0

SHA512
289d013d7f84aa327fc82ce13ba36a2b1b92f879f8afe82f3294b3ed482622e00710bd38b3b7360c7c5e257afa5f6ba73b66a47e6cf87bbf41bdc25451474d24

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
309B

MD5
99ddfa7f1fbec533fc97bfe7aa4f8558

SHA1
ce2c86cfccbe1b77aae82be3c0e0e98f6a527ec7

SHA256
bef6ade48334f2a2fae4b46573f6f30a090a5a1963a44d2640bf3369890f317d

SHA512
e6202250ba9b491df6f4931927e2347a0b7f96a934c4581f76e446a1b9c7b3f572266610807e7d62688019f1d7282ea7452f425dabea3a48835a3ded411bf481

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\rjftw.cc3

Filesize
20.1MB

MD5
31f3b2dd551e25e48e3042643b372008

SHA1
78276e3e373f8f93e46df315b8a568a2584a51f3

SHA256
c980778a21730dd9bb3071163e78350590674a03af7524fc1dd0f79999b154f1

SHA512
3124a63e69a039a3ce55cde3b0319df31c6be32d943f96fdd9971e961429583e536e198132c7e88f0658203855bf5c4c2a302388880fe025d2e0a74a64f72e84

Download Submit
\??\c:\users\admin\appdata\local\eiqtxbtpps

Filesize
22.7MB

MD5
06da0e2d40431dcb146720e726cd4d96

SHA1
85e27d8a0b98076ac6dfdf729e60af9c5d827889

SHA256
59c39ffa49c00ad6eb7797a341a2387599bc022bcf1316ea3d40de37615fc3ac

SHA512
ac83ca4699da639bf9e79c2b2fe77df839d2fa7d39f05e6429f68ea61ed6a384f03d1032fe1470ae9eecee6bbea5f41cb348f73cb964e5e225dca6d0790d0590

Download Submit
memory/1608-132-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3972-136-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3972-139-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download