gh0strat | 82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe
Size

95KB
MD5

3b4a37f61da7dbdec0e005d5d1d8e475
SHA1

1f0ba51c81f1aa21ebf013d15a3fb02be6b55513
SHA256

82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae
SHA512

d4981cf1168df199b0b5a29adb2667696fe6949c1991be7cb5bd46a81ce0990192691b6464a90a85f75a953c899beeddfb7eacef3822f47b062171d7704c5db4
SSDEEP

1536:NPFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr4KobKbCkun6fo:NZS4jHS8q/3nTzePCwNUh4E9toyCku6g

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e81b-138.dat	family_gh0strat
behavioral2/files/0x000400000001e81b-139.dat	family_gh0strat
behavioral2/memory/1268-140-0x0000000000400000-0x000000000044E5F0-memory.dmp	family_gh0strat
behavioral2/files/0x000400000001e81b-141.dat	family_gh0strat
behavioral2/files/0x000400000001e81b-143.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1268	gfdpferkek

Loads dropped DLL 3 IoCs

pid	Process
2052	svchost.exe
4888	svchost.exe
3672	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ngcdsravsa	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nnhcyekmsh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nnxhxnrfgr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4816	2052	WerFault.exe	83
4792	4888	WerFault.exe	88
4352	3672	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1268	gfdpferkek
1268	gfdpferkek

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1268	gfdpferkek
Token: SeBackupPrivilege	1268	gfdpferkek
Token: SeBackupPrivilege	1268	gfdpferkek
Token: SeRestorePrivilege	1268	gfdpferkek
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeRestorePrivilege	2052	svchost.exe
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeSecurityPrivilege	2052	svchost.exe
Token: SeSecurityPrivilege	2052	svchost.exe
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeSecurityPrivilege	2052	svchost.exe
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeSecurityPrivilege	2052	svchost.exe
Token: SeBackupPrivilege	2052	svchost.exe
Token: SeRestorePrivilege	2052	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeRestorePrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeSecurityPrivilege	4888	svchost.exe
Token: SeSecurityPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeSecurityPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeSecurityPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeRestorePrivilege	4888	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeRestorePrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeSecurityPrivilege	3672	svchost.exe
Token: SeBackupPrivilege	3672	svchost.exe
Token: SeRestorePrivilege	3672	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1268	2180	82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe	81
PID 2180 wrote to memory of 1268	2180	82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe	81
PID 2180 wrote to memory of 1268	2180	82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe	81

C:\Users\Admin\AppData\Local\Temp\82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe
"C:\Users\Admin\AppData\Local\Temp\82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- \??\c:\users\admin\appdata\local\gfdpferkek
  "C:\Users\Admin\AppData\Local\Temp\82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe" a -sc:\users\admin\appdata\local\temp\82e334fdc3a322c0b883350cd12b88c4316967ad4a5e3fac16dc2f1372af6eae.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 872
  2⤵
  - Program crash
  PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2052 -ip 2052
1⤵
PID:4992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1112
  2⤵
  - Program crash
  PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4888 -ip 4888
1⤵
PID:1320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1104
  2⤵
  - Program crash
  PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3672 -ip 3672
1⤵
PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\gpjhw.cc3

Filesize
23.0MB

MD5
c6db73e00ced5e63e59c0985ea47d9cf

SHA1
50f319548f6d47854665fb7a0473859e89cad58f

SHA256
b9bf932a812ff08e43ade681c9b221b7b24e29bba74a3f505d90c5900ebb6d24

SHA512
2f929bd41548231e5330cecf3ca2d5d5fc65a8c187dd2c890bf49038e51bcc1e4ffa345c66adbc0c3afb54ecff2c61941ca3a130e0372c1a78c882ea4521f1e5

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\gpjhw.cc3

Filesize
23.0MB

MD5
c6db73e00ced5e63e59c0985ea47d9cf

SHA1
50f319548f6d47854665fb7a0473859e89cad58f

SHA256
b9bf932a812ff08e43ade681c9b221b7b24e29bba74a3f505d90c5900ebb6d24

SHA512
2f929bd41548231e5330cecf3ca2d5d5fc65a8c187dd2c890bf49038e51bcc1e4ffa345c66adbc0c3afb54ecff2c61941ca3a130e0372c1a78c882ea4521f1e5

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\gpjhw.cc3

Filesize
23.0MB

MD5
c6db73e00ced5e63e59c0985ea47d9cf

SHA1
50f319548f6d47854665fb7a0473859e89cad58f

SHA256
b9bf932a812ff08e43ade681c9b221b7b24e29bba74a3f505d90c5900ebb6d24

SHA512
2f929bd41548231e5330cecf3ca2d5d5fc65a8c187dd2c890bf49038e51bcc1e4ffa345c66adbc0c3afb54ecff2c61941ca3a130e0372c1a78c882ea4521f1e5

Download Submit
C:\Users\Admin\AppData\Local\gfdpferkek

Filesize
23.5MB

MD5
31d77accc5248b2a42294252bcfa66e7

SHA1
83ec7b83681b513ec2543e3328295b7d1c33b511

SHA256
825d7860f34604c0f1610bc38e18c79df5197d1f76ec1b250cde4cf2756ee7e8

SHA512
4a0226381b0ee9edf2c6bd9dc618fbf8ff8b02efe8f26f8dc9f9f21e316740fe1896d19f76b9cc2cc913e513af86172fa8698ef98eec7721014fe556dc4247c0

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
4cc96e5390f3969f84237f2dfc2a16a9

SHA1
2ac01336739a4ba5848f1168361861a6a499ab48

SHA256
9bf01868a9debbeebb429007a1f446bc75023bdbd2005a21c52d0ee8474a911f

SHA512
737ab5159dcbba2140c8e5d4bb95c48596b94f8184e71aef4a3851a0e549f0ac572ad7eaebcbfe7b965bc50411ed38c25ba01ffb31f47498060717640052a8c3

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
44691138413c3fbba3787c5bdf1d3d2b

SHA1
13fa4f6f889c3450624f270c68f5bc3a7a82e493

SHA256
60d1bb1e0b4d215f38eccfe4226d4fd895c9b1fc0d471f664615a0c55e5c79f1

SHA512
ff5a8766a53a1a48a1874658ccd6ea5bb729af51527b9eeff12184714e96be67e86f8d66b52294784d2e167b567da73a81abb843f5efb626f62a0427953d8236

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\gpjhw.cc3

Filesize
23.0MB

MD5
c6db73e00ced5e63e59c0985ea47d9cf

SHA1
50f319548f6d47854665fb7a0473859e89cad58f

SHA256
b9bf932a812ff08e43ade681c9b221b7b24e29bba74a3f505d90c5900ebb6d24

SHA512
2f929bd41548231e5330cecf3ca2d5d5fc65a8c187dd2c890bf49038e51bcc1e4ffa345c66adbc0c3afb54ecff2c61941ca3a130e0372c1a78c882ea4521f1e5

Download Submit
\??\c:\users\admin\appdata\local\gfdpferkek

Filesize
23.5MB

MD5
31d77accc5248b2a42294252bcfa66e7

SHA1
83ec7b83681b513ec2543e3328295b7d1c33b511

SHA256
825d7860f34604c0f1610bc38e18c79df5197d1f76ec1b250cde4cf2756ee7e8

SHA512
4a0226381b0ee9edf2c6bd9dc618fbf8ff8b02efe8f26f8dc9f9f21e316740fe1896d19f76b9cc2cc913e513af86172fa8698ef98eec7721014fe556dc4247c0

Download Submit
memory/1268-140-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/1268-137-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/1268-136-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/2180-132-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download