gh0strat | 8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17

Analysis

max time kernel
192s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 01:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe
Size

95KB
MD5

76ae544df272650310248892a72800fb
SHA1

c259821477acf1cfc9b473bde2c62cd3d859e14a
SHA256

8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17
SHA512

673deee1876aa8adf87a4fc0b30e79a10645e8983a9aecdad5e3f43cd26ad35cd510653bc67acf7560c2f50fb36c3f5f82c5ee593e3497e261e9b2aed7ccdbb5
SSDEEP

1536:cNTrnFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prlBoCYvktI0:cNPRS4jHS8q/3nTzePCwNUh4E9leCYt0

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000900000002317b-139.dat	family_gh0strat
behavioral2/files/0x000900000002317b-140.dat	family_gh0strat
behavioral2/files/0x000900000002317b-141.dat	family_gh0strat
behavioral2/files/0x000900000002317b-142.dat	family_gh0strat
behavioral2/memory/4456-143-0x0000000000400000-0x000000000044C621-memory.dmp	family_gh0strat
behavioral2/files/0x000900000002317b-144.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4456	mcwdyxommu

Loads dropped DLL 4 IoCs

pid	Process
4424	svchost.exe
2360	svchost.exe
704	svchost.exe
4588	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\axgfxvaleg	svchost.exe
File created	C:\Windows\SysWOW64\axnpuooxed	svchost.exe
File created	C:\Windows\SysWOW64\aqlbsajcpo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\aypaymssqv	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4112	704	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4456	mcwdyxommu
4456	mcwdyxommu

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeRestorePrivilege	4456	mcwdyxommu
Token: SeBackupPrivilege	4456	mcwdyxommu
Token: SeBackupPrivilege	4456	mcwdyxommu
Token: SeRestorePrivilege	4456	mcwdyxommu
Token: SeRestorePrivilege	4456	mcwdyxommu
Token: SeBackupPrivilege	4456	mcwdyxommu
Token: SeBackupPrivilege	4456	mcwdyxommu
Token: SeRestorePrivilege	4456	mcwdyxommu
Token: SeRestorePrivilege	4456	mcwdyxommu
Token: SeBackupPrivilege	4456	mcwdyxommu
Token: SeBackupPrivilege	4456	mcwdyxommu
Token: SeRestorePrivilege	4456	mcwdyxommu
Token: SeBackupPrivilege	704	svchost.exe
Token: SeRestorePrivilege	704	svchost.exe
Token: SeBackupPrivilege	704	svchost.exe
Token: SeBackupPrivilege	704	svchost.exe
Token: SeSecurityPrivilege	704	svchost.exe
Token: SeSecurityPrivilege	704	svchost.exe
Token: SeBackupPrivilege	704	svchost.exe
Token: SeBackupPrivilege	704	svchost.exe
Token: SeSecurityPrivilege	704	svchost.exe
Token: SeBackupPrivilege	704	svchost.exe
Token: SeBackupPrivilege	704	svchost.exe
Token: SeSecurityPrivilege	704	svchost.exe
Token: SeBackupPrivilege	4424	svchost.exe
Token: SeRestorePrivilege	4424	svchost.exe
Token: SeBackupPrivilege	4424	svchost.exe
Token: SeBackupPrivilege	4424	svchost.exe
Token: SeSecurityPrivilege	4424	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeRestorePrivilege	2360	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeSecurityPrivilege	2360	svchost.exe
Token: SeBackupPrivilege	4588	svchost.exe
Token: SeRestorePrivilege	4588	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 4456	4168	8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe	82
PID 4168 wrote to memory of 4456	4168	8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe	82
PID 4168 wrote to memory of 4456	4168	8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe	82

C:\Users\Admin\AppData\Local\Temp\8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe
"C:\Users\Admin\AppData\Local\Temp\8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4168
- \??\c:\users\admin\appdata\local\mcwdyxommu
  "C:\Users\Admin\AppData\Local\Temp\8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe" a -sc:\users\admin\appdata\local\temp\8adcede30bb9ec86a76b189dc1b946189fb2070ec5ee7c520852a826fbf88a17.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 736
  2⤵
  - Program crash
  PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 704 -ip 704
1⤵
PID:4616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\xwbop.cc3

Filesize
20.1MB

MD5
5ffa28e55c3e493e6a4b42561d513130

SHA1
b1aa70d99616be3c9359d8a41d6f8f114119759e

SHA256
63c866f1b468f26188043ec314f0b90f1799eb262f5aac621c30e28573ad19a4

SHA512
351c1e0243dd2c943b1ffc0a746e48aeb9d0e45b684edd5b1e3bb3cb59f66521a728a2e2bb4df57774e892bf00b54945b3d661c12f549a04ab9e9a8f3a17dc3c

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xwbop.cc3

Filesize
20.1MB

MD5
5ffa28e55c3e493e6a4b42561d513130

SHA1
b1aa70d99616be3c9359d8a41d6f8f114119759e

SHA256
63c866f1b468f26188043ec314f0b90f1799eb262f5aac621c30e28573ad19a4

SHA512
351c1e0243dd2c943b1ffc0a746e48aeb9d0e45b684edd5b1e3bb3cb59f66521a728a2e2bb4df57774e892bf00b54945b3d661c12f549a04ab9e9a8f3a17dc3c

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xwbop.cc3

Filesize
20.1MB

MD5
5ffa28e55c3e493e6a4b42561d513130

SHA1
b1aa70d99616be3c9359d8a41d6f8f114119759e

SHA256
63c866f1b468f26188043ec314f0b90f1799eb262f5aac621c30e28573ad19a4

SHA512
351c1e0243dd2c943b1ffc0a746e48aeb9d0e45b684edd5b1e3bb3cb59f66521a728a2e2bb4df57774e892bf00b54945b3d661c12f549a04ab9e9a8f3a17dc3c

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xwbop.cc3

Filesize
20.1MB

MD5
5ffa28e55c3e493e6a4b42561d513130

SHA1
b1aa70d99616be3c9359d8a41d6f8f114119759e

SHA256
63c866f1b468f26188043ec314f0b90f1799eb262f5aac621c30e28573ad19a4

SHA512
351c1e0243dd2c943b1ffc0a746e48aeb9d0e45b684edd5b1e3bb3cb59f66521a728a2e2bb4df57774e892bf00b54945b3d661c12f549a04ab9e9a8f3a17dc3c

Download Submit
C:\Users\Admin\AppData\Local\mcwdyxommu

Filesize
22.8MB

MD5
a8a5966d6b1f43c342d42409b0d32717

SHA1
a76c99943fea1e0a594f2f2f4d690f650018d9c5

SHA256
fda3d1e4eaf420f4f2a6d0e60ad83505124f15156aeeff7ce30481742d3f30fb

SHA512
66bebd081ff9128fa422d987cd74dfe9ee0a8b8b9f0a428303b9b3009db8b58366dc9a1d43035bce2b88bc09af55f852240694c21e4a8265fff507dd4d0344b1

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xwbop.cc3

Filesize
20.1MB

MD5
5ffa28e55c3e493e6a4b42561d513130

SHA1
b1aa70d99616be3c9359d8a41d6f8f114119759e

SHA256
63c866f1b468f26188043ec314f0b90f1799eb262f5aac621c30e28573ad19a4

SHA512
351c1e0243dd2c943b1ffc0a746e48aeb9d0e45b684edd5b1e3bb3cb59f66521a728a2e2bb4df57774e892bf00b54945b3d661c12f549a04ab9e9a8f3a17dc3c

Download Submit
\??\c:\users\admin\appdata\local\mcwdyxommu

Filesize
22.8MB

MD5
a8a5966d6b1f43c342d42409b0d32717

SHA1
a76c99943fea1e0a594f2f2f4d690f650018d9c5

SHA256
fda3d1e4eaf420f4f2a6d0e60ad83505124f15156aeeff7ce30481742d3f30fb

SHA512
66bebd081ff9128fa422d987cd74dfe9ee0a8b8b9f0a428303b9b3009db8b58366dc9a1d43035bce2b88bc09af55f852240694c21e4a8265fff507dd4d0344b1

Download Submit
memory/4168-136-0x0000000000400000-0x000000000044C621-memory.dmp

Filesize
305KB

Download
memory/4168-132-0x0000000000400000-0x000000000044C621-memory.dmp

Filesize
305KB

Download
memory/4456-138-0x0000000000400000-0x000000000044C621-memory.dmp

Filesize
305KB

Download
memory/4456-137-0x0000000000400000-0x000000000044C621-memory.dmp

Filesize
305KB

Download
memory/4456-143-0x0000000000400000-0x000000000044C621-memory.dmp

Filesize
305KB

Download