gh0strat | 5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe
Size

96KB
MD5

40f74ea337918dde6da0497d064bc02b
SHA1

a461d82ef9de1c54a7d55125ecca8bfac3322727
SHA256

5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907
SHA512

f54211f68e96233193d5ec7ea238b4199adc60f1f95caf971c5cf6bfebdb47c7f4d74a0f8b54b7165911ab3e7645eabec599ebce2c80cdd75adb716e994f0b5c
SSDEEP

1536:MJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prMmdIUYG:MfS4jHS8q/3nTzePCwNUh4E9MmdIjG

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e3a-139.dat	family_gh0strat
behavioral2/files/0x0007000000022e3a-140.dat	family_gh0strat
behavioral2/memory/1500-141-0x0000000000400000-0x000000000044E334-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022e3a-142.dat	family_gh0strat
behavioral2/files/0x0007000000022e3a-144.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1500	lmiglihfrk

Loads dropped DLL 3 IoCs

pid	Process
4712	svchost.exe
2588	svchost.exe
1008	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\coesrbtkum	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cwjqxndbus	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cvavwwltie	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5020	4712	WerFault.exe	82
1244	2588	WerFault.exe	86
3376	1008	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	lmiglihfrk
1500	lmiglihfrk

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1500	lmiglihfrk
Token: SeBackupPrivilege	1500	lmiglihfrk
Token: SeBackupPrivilege	1500	lmiglihfrk
Token: SeRestorePrivilege	1500	lmiglihfrk
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeRestorePrivilege	4712	svchost.exe
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeSecurityPrivilege	4712	svchost.exe
Token: SeSecurityPrivilege	4712	svchost.exe
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeSecurityPrivilege	4712	svchost.exe
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeSecurityPrivilege	4712	svchost.exe
Token: SeBackupPrivilege	4712	svchost.exe
Token: SeRestorePrivilege	4712	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeRestorePrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeRestorePrivilege	2588	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeRestorePrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeSecurityPrivilege	1008	svchost.exe
Token: SeSecurityPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeSecurityPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeSecurityPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeRestorePrivilege	1008	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1500	4964	5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe	79
PID 4964 wrote to memory of 1500	4964	5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe	79
PID 4964 wrote to memory of 1500	4964	5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe	79

C:\Users\Admin\AppData\Local\Temp\5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe
"C:\Users\Admin\AppData\Local\Temp\5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- \??\c:\users\admin\appdata\local\lmiglihfrk
  "C:\Users\Admin\AppData\Local\Temp\5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe" a -sc:\users\admin\appdata\local\temp\5b996076e9ad39075e206bc982ec6d3bacf2fb6ce7512c79d0aa7016e0093907.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 880
  2⤵
  - Program crash
  PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4712 -ip 4712
1⤵
PID:3936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1112
  2⤵
  - Program crash
  PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2588 -ip 2588
1⤵
PID:3596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1096
  2⤵
  - Program crash
  PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1008 -ip 1008
1⤵
PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\xmtvt.cc3

Filesize
20.0MB

MD5
0297b89648821b57949ac895f64137b4

SHA1
e2495c48eb6b81fdc8321d0fe43c3328b26264c1

SHA256
10d94bb4ada61e2900c22adedde21cc72324826503b188e616dbceb57cadb60c

SHA512
3c20c1bd23ec9eae967a19b417cdca4da4703c5e4004021ee760f9fb9ab2ec5169fa184092852fd85cae55ff89a7a47e13d8957bba8989c75290ee6dad367eac

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xmtvt.cc3

Filesize
20.0MB

MD5
0297b89648821b57949ac895f64137b4

SHA1
e2495c48eb6b81fdc8321d0fe43c3328b26264c1

SHA256
10d94bb4ada61e2900c22adedde21cc72324826503b188e616dbceb57cadb60c

SHA512
3c20c1bd23ec9eae967a19b417cdca4da4703c5e4004021ee760f9fb9ab2ec5169fa184092852fd85cae55ff89a7a47e13d8957bba8989c75290ee6dad367eac

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xmtvt.cc3

Filesize
20.0MB

MD5
0297b89648821b57949ac895f64137b4

SHA1
e2495c48eb6b81fdc8321d0fe43c3328b26264c1

SHA256
10d94bb4ada61e2900c22adedde21cc72324826503b188e616dbceb57cadb60c

SHA512
3c20c1bd23ec9eae967a19b417cdca4da4703c5e4004021ee760f9fb9ab2ec5169fa184092852fd85cae55ff89a7a47e13d8957bba8989c75290ee6dad367eac

Download Submit
C:\Users\Admin\AppData\Local\lmiglihfrk

Filesize
23.7MB

MD5
84079ca60f6af0e54d70800bdec502d0

SHA1
9348f6d51defc2ca3c1cbacb34e6545be9e2a662

SHA256
3b593ce406a40c033c4e4cc9565c64ce41a64e13d0cffd3e8f1695cdcac400da

SHA512
51c38f3dc25a186623a04c1cf66cdbeff5a8b3d9d7772edbd09544c76368079aace58ea50297933831debd45be5c79901bdc883384b7a1bca6841c8358b4f498

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
206B

MD5
b6a0c3245c5e44d03f2525d6b9f5653b

SHA1
7a98b368eb79799be9d741f58ec2adaf466a1727

SHA256
6043450390e114c7bd3602280c07b8b4abdfc48e21347f232bf1d4d8d2dea46f

SHA512
0b105bb66b3bbc0a6c12593b01a0b3dffe171846339a6e1bc6e1e03f0ed4c53ee4d07ff1a798049e3b2f399c3f86ca021ad7579dcdd862a9bc4b9f0cde722ac0

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
309B

MD5
75ec30edf3e510dcc665af36f93d5712

SHA1
33c8e05a864dc8b54bfbe2fd5a6cf0eea66110c2

SHA256
ea348fb6ed273ed14ef936f70a53b0981c53c3a4b59e508d115e93f8fa68d2ce

SHA512
375a2dd428bcf69dff742097e2e1ae240d952e408f055aed58c3603288048f042462cb463a33ace60f0848403d13e1ed6809f66ee935d49c19ebbee4333f8867

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xmtvt.cc3

Filesize
20.0MB

MD5
0297b89648821b57949ac895f64137b4

SHA1
e2495c48eb6b81fdc8321d0fe43c3328b26264c1

SHA256
10d94bb4ada61e2900c22adedde21cc72324826503b188e616dbceb57cadb60c

SHA512
3c20c1bd23ec9eae967a19b417cdca4da4703c5e4004021ee760f9fb9ab2ec5169fa184092852fd85cae55ff89a7a47e13d8957bba8989c75290ee6dad367eac

Download Submit
\??\c:\users\admin\appdata\local\lmiglihfrk

Filesize
23.7MB

MD5
84079ca60f6af0e54d70800bdec502d0

SHA1
9348f6d51defc2ca3c1cbacb34e6545be9e2a662

SHA256
3b593ce406a40c033c4e4cc9565c64ce41a64e13d0cffd3e8f1695cdcac400da

SHA512
51c38f3dc25a186623a04c1cf66cdbeff5a8b3d9d7772edbd09544c76368079aace58ea50297933831debd45be5c79901bdc883384b7a1bca6841c8358b4f498

Download Submit
memory/1500-141-0x0000000000400000-0x000000000044E334-memory.dmp

Filesize
312KB

Download
memory/1500-138-0x0000000000400000-0x000000000044E334-memory.dmp

Filesize
312KB

Download
memory/1500-137-0x0000000000400000-0x000000000044E334-memory.dmp

Filesize
312KB

Download
memory/4964-132-0x0000000000400000-0x000000000044E334-memory.dmp

Filesize
312KB

Download
memory/4964-135-0x0000000000400000-0x000000000044E334-memory.dmp

Filesize
312KB

Download