gh0strat | 91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a

General

Target

91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe
Size

96KB
MD5

774e1e7ca57509d3dd62dee398482e1c
SHA1

1138c5f397da6e2cf071d388e161dce5f58e202a
SHA256

91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a
SHA512

f8995008a2a47796915c0e4404ba7a06e922a6e6592094e5f4980e439d06bc66ef63087976834c5510c9334515c24bd154ee2b76be9aaf9bde18025b71a9047d
SSDEEP

1536:jNFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prRopHus:jzS4jHS8q/3nTzePCwNUh4E9qOs

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e12-138.dat	family_gh0strat
behavioral2/files/0x0007000000022e12-139.dat	family_gh0strat
behavioral2/memory/2220-140-0x0000000000400000-0x000000000044E4A4-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022e12-141.dat	family_gh0strat
behavioral2/files/0x0007000000022e12-143.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2220	dikpddblxo

Loads dropped DLL 3 IoCs

pid	Process
4220	svchost.exe
3272	svchost.exe
4044	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ytdbuwhecl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ydrudakcoh	svchost.exe
File created	C:\Windows\SysWOW64\yciacjrucr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ycxfasynpd	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
516	4220	WerFault.exe	80
4208	3272	WerFault.exe	84
3352	4044	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	dikpddblxo
2220	dikpddblxo

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeRestorePrivilege	2220	dikpddblxo
Token: SeBackupPrivilege	2220	dikpddblxo
Token: SeBackupPrivilege	2220	dikpddblxo
Token: SeRestorePrivilege	2220	dikpddblxo
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeRestorePrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeSecurityPrivilege	4220	svchost.exe
Token: SeBackupPrivilege	4220	svchost.exe
Token: SeRestorePrivilege	4220	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeRestorePrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeRestorePrivilege	3272	svchost.exe
Token: SeBackupPrivilege	4044	svchost.exe
Token: SeRestorePrivilege	4044	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2220	4568	91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe	79
PID 4568 wrote to memory of 2220	4568	91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe	79
PID 4568 wrote to memory of 2220	4568	91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe	79

C:\Users\Admin\AppData\Local\Temp\91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe
"C:\Users\Admin\AppData\Local\Temp\91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- \??\c:\users\admin\appdata\local\dikpddblxo
  "C:\Users\Admin\AppData\Local\Temp\91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe" a -sc:\users\admin\appdata\local\temp\91b7df07f5dbf04cf0b9a263249ef70cc4e9e2ae194b5a3adcc62e8c487f5d6a.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 872
  2⤵
  - Program crash
  PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4220 -ip 4220
1⤵
PID:4800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1112
  2⤵
  - Program crash
  PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3272 -ip 3272
1⤵
PID:4996

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 964
  2⤵
  - Program crash
  PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044
1⤵
PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\ujfwq.cc3

Filesize
24.1MB

MD5
288dd3457bffcebc396f14f7d3799f0b

SHA1
9ad0aea175f16b28c6b71300a51bb46bab182dc5

SHA256
a494154f6a9bf08df2293f605447333ded1e954f65b5c2875d5bd8a361b305d2

SHA512
94f12af257e4a450272335c3998b0cb5310635995bcfaf4eae1e4f2dcd8daca7e87c42e5b9125aa3aafa18590a8977604c2edcbed33c7d8ede6d07166e579902

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\ujfwq.cc3

Filesize
24.1MB

MD5
288dd3457bffcebc396f14f7d3799f0b

SHA1
9ad0aea175f16b28c6b71300a51bb46bab182dc5

SHA256
a494154f6a9bf08df2293f605447333ded1e954f65b5c2875d5bd8a361b305d2

SHA512
94f12af257e4a450272335c3998b0cb5310635995bcfaf4eae1e4f2dcd8daca7e87c42e5b9125aa3aafa18590a8977604c2edcbed33c7d8ede6d07166e579902

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\ujfwq.cc3

Filesize
24.1MB

MD5
288dd3457bffcebc396f14f7d3799f0b

SHA1
9ad0aea175f16b28c6b71300a51bb46bab182dc5

SHA256
a494154f6a9bf08df2293f605447333ded1e954f65b5c2875d5bd8a361b305d2

SHA512
94f12af257e4a450272335c3998b0cb5310635995bcfaf4eae1e4f2dcd8daca7e87c42e5b9125aa3aafa18590a8977604c2edcbed33c7d8ede6d07166e579902

Download Submit
C:\Users\Admin\AppData\Local\dikpddblxo

Filesize
22.2MB

MD5
ad4268d749f9c811086091fa8836aed1

SHA1
1ab4fba005beaf76e36843801b931ab88438a0b7

SHA256
4f4265bd3699790e91333e8dfe7507a1df0de3404a450e886dd9e0c20b059858

SHA512
adcd60cf80858ea94f25f30cac5e910b2ab99969267948bbdb5ac536b9f87519f4602ee5a90da9b676f37bbe4755c84dc171fd57de8b517bab3c0eadd07277b4

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
abdcf71ba014479ee35335c3ceb294c1

SHA1
09d9180e8b9351ff3b157ee92aee547be0138fb8

SHA256
ef6a8f451ba550f475c1d87f5bdcab40c2c9b03547bde8109fc6d52f5ef6e5a3

SHA512
2f73d2fd8ab90f4c0e4a88c099cb408110733700a2b99f01497685fa9fa40660da48edf70b75f76e17001e8fe963ad840b34d50c8574f29ea5cf0b6c29361b46

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
fb9e5a743e8ac1aea98148dc06e67597

SHA1
8f33e91a07778477ac63c48a3db0171732800611

SHA256
9bcf6b0ebe31d2d19806cfba5fbb9a3ad14ef010a693a5fd444c94a74a693a06

SHA512
c9090cbaa5720c70043e9069ad8b874c8d0a4d3b953e3ae1a3b3cfb6d0ed28051c02c8841d522578f62a8e44b7ce242375c3ddbe5ca0e6ac362339a1bf5ea151

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\ujfwq.cc3

Filesize
24.1MB

MD5
288dd3457bffcebc396f14f7d3799f0b

SHA1
9ad0aea175f16b28c6b71300a51bb46bab182dc5

SHA256
a494154f6a9bf08df2293f605447333ded1e954f65b5c2875d5bd8a361b305d2

SHA512
94f12af257e4a450272335c3998b0cb5310635995bcfaf4eae1e4f2dcd8daca7e87c42e5b9125aa3aafa18590a8977604c2edcbed33c7d8ede6d07166e579902

Download Submit
\??\c:\users\admin\appdata\local\dikpddblxo

Filesize
22.2MB

MD5
ad4268d749f9c811086091fa8836aed1

SHA1
1ab4fba005beaf76e36843801b931ab88438a0b7

SHA256
4f4265bd3699790e91333e8dfe7507a1df0de3404a450e886dd9e0c20b059858

SHA512
adcd60cf80858ea94f25f30cac5e910b2ab99969267948bbdb5ac536b9f87519f4602ee5a90da9b676f37bbe4755c84dc171fd57de8b517bab3c0eadd07277b4

Download Submit
memory/2220-140-0x0000000000400000-0x000000000044E4A4-memory.dmp

Filesize
313KB

Download
memory/2220-137-0x0000000000400000-0x000000000044E4A4-memory.dmp

Filesize
313KB

Download
memory/4568-132-0x0000000000400000-0x000000000044E4A4-memory.dmp

Filesize
313KB

Download
memory/4568-135-0x0000000000400000-0x000000000044E4A4-memory.dmp

Filesize
313KB

Download

Analysis

Sharing