gh0strat | fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d

Analysis

max time kernel
178s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 15:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe
Size

96KB
MD5

b600ed1a4d792263e131a261a46bd62e
SHA1

8721027177c1c01f8b21712f32b85de9045d01d0
SHA256

fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d
SHA512

edc8410a4b56d8be51f0d1bd312ca78353797ee1085a6d05b68fa729a73827d7745d403c7728798d0941dbb0c481834f18ca2622296f578377d676c763172065
SSDEEP

1536:MuFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8priXE8m5:MUS4jHS8q/3nTzePCwNUh4E9gE8m5

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e66-138.dat	family_gh0strat
behavioral2/files/0x0007000000022e67-139.dat	family_gh0strat
behavioral2/files/0x0007000000022e67-140.dat	family_gh0strat
behavioral2/memory/4792-141-0x0000000000400000-0x000000000044E318-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022e67-142.dat	family_gh0strat
behavioral2/files/0x0007000000022e67-144.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4792	mblwskskno

Loads dropped DLL 3 IoCs

pid	Process
4488	svchost.exe
2604	svchost.exe
3556	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cvmussaltg	svchost.exe
File created	C:\Windows\SysWOW64\cehxyoruhx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ccvssautiq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cyajdfaiee	svchost.exe
File created	C:\Windows\SysWOW64\cyqocohbrp	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4416	4488	WerFault.exe	84
3924	2604	WerFault.exe	88
1832	3556	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4792	mblwskskno
4792	mblwskskno

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	4792	mblwskskno
Token: SeBackupPrivilege	4792	mblwskskno
Token: SeBackupPrivilege	4792	mblwskskno
Token: SeRestorePrivilege	4792	mblwskskno
Token: SeRestorePrivilege	4792	mblwskskno
Token: SeBackupPrivilege	4792	mblwskskno
Token: SeBackupPrivilege	4792	mblwskskno
Token: SeRestorePrivilege	4792	mblwskskno
Token: SeBackupPrivilege	1644	svchost.exe
Token: SeRestorePrivilege	1644	svchost.exe
Token: SeBackupPrivilege	1644	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeRestorePrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeSecurityPrivilege	4488	svchost.exe
Token: SeBackupPrivilege	4488	svchost.exe
Token: SeRestorePrivilege	4488	svchost.exe
Token: SeBackupPrivilege	2604	svchost.exe
Token: SeRestorePrivilege	2604	svchost.exe
Token: SeBackupPrivilege	2604	svchost.exe
Token: SeBackupPrivilege	2604	svchost.exe
Token: SeSecurityPrivilege	2604	svchost.exe
Token: SeSecurityPrivilege	2604	svchost.exe
Token: SeBackupPrivilege	2604	svchost.exe
Token: SeBackupPrivilege	2604	svchost.exe
Token: SeSecurityPrivilege	2604	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeRestorePrivilege	3556	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeSecurityPrivilege	3556	svchost.exe
Token: SeSecurityPrivilege	3556	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeSecurityPrivilege	3556	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeSecurityPrivilege	3556	svchost.exe
Token: SeBackupPrivilege	3556	svchost.exe
Token: SeRestorePrivilege	3556	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4792	4928	fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe	82
PID 4928 wrote to memory of 4792	4928	fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe	82
PID 4928 wrote to memory of 4792	4928	fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe	82

C:\Users\Admin\AppData\Local\Temp\fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe
"C:\Users\Admin\AppData\Local\Temp\fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- \??\c:\users\admin\appdata\local\mblwskskno
  "C:\Users\Admin\AppData\Local\Temp\fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe" a -sc:\users\admin\appdata\local\temp\fd33c4201d5714d02260bd52ee99a5624789610857daf32cbfb983bfe3edf95d.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 948
  2⤵
  - Program crash
  PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4488 -ip 4488
1⤵
PID:4984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1084
  2⤵
  - Program crash
  PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2604 -ip 2604
1⤵
PID:2876

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1112
  2⤵
  - Program crash
  PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3556 -ip 3556
1⤵
PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\skehk.cc3

Filesize
23.0MB

MD5
ad79f491bab66890e01e501ec773ac47

SHA1
06e5a291e106bbef0077c9d46d820dba765c87d2

SHA256
fa3c8e3aa12840b29def91f08d24459be794e851aab9c1ceff2d9216ad4182b7

SHA512
c36df9251eb783b5adc49786a0bf03f7f42cd5b4aeb87e847912c0f163b431c12d5aaa617d97dcb56e9a84fca33834f3fbd3b342b4b0135e89161eeac3fcccc0

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\skehk.cc3

Filesize
23.0MB

MD5
ad79f491bab66890e01e501ec773ac47

SHA1
06e5a291e106bbef0077c9d46d820dba765c87d2

SHA256
fa3c8e3aa12840b29def91f08d24459be794e851aab9c1ceff2d9216ad4182b7

SHA512
c36df9251eb783b5adc49786a0bf03f7f42cd5b4aeb87e847912c0f163b431c12d5aaa617d97dcb56e9a84fca33834f3fbd3b342b4b0135e89161eeac3fcccc0

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\skehk.cc3

Filesize
23.0MB

MD5
ad79f491bab66890e01e501ec773ac47

SHA1
06e5a291e106bbef0077c9d46d820dba765c87d2

SHA256
fa3c8e3aa12840b29def91f08d24459be794e851aab9c1ceff2d9216ad4182b7

SHA512
c36df9251eb783b5adc49786a0bf03f7f42cd5b4aeb87e847912c0f163b431c12d5aaa617d97dcb56e9a84fca33834f3fbd3b342b4b0135e89161eeac3fcccc0

Download Submit
C:\Users\Admin\AppData\Local\mblwskskno

Filesize
23.9MB

MD5
bb0401863984318e5177d77d0f3b1c4a

SHA1
4662843d1e954bd3f02a74a65f87efb0f283b6a6

SHA256
2debdf2bf1cb877276bf9649dc401173e2d9c64754d3968e87b7e97b0c01731a

SHA512
b689ae77bfa090c5ae783ac927356ba762fb959444bc46ce7c85d8e6e1e6a824c09070bccf7102cdb0355b282d355c79cd4d8acb54b9b2f9cb1bfbe5c1dad31b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
cb5097f9066f8b10e31f7b702ad52b8c

SHA1
73277cdadd6df87e96d5badeeebffe5ef521fafd

SHA256
262e32a4fefd1233ac06fea691b49fd3b1a48c0e8c340b7f39242ce2009c0c5c

SHA512
c1198cc37928a37234deafdda24def72ccd83251ba0011c0bb7fa2e725707bf94d43fcdbe3daf11bd32afa04a16ea0706edbf44bbcf0cff860106bf027776441

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
961decce6bebdd949e05106807869b5a

SHA1
6dd85dea7f4daa6dd98a878f75a999724246f5de

SHA256
8c7f16d92401812e6002d22a6d1891630ea8973ea2427c9e0a3d87e48d4b6284

SHA512
de1419acf7f3869d012dc85ae57b3089f15c7c5a9c6a221b95ab18e2350718e5c7ef5e70b2e41d4fb0940eaa82ed8aa430dbdb9b8e2f68726e21b5e48febdc04

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\skehk.cc3

Filesize
20.1MB

MD5
8ea04b870eae8a49a19ae9662fadeb60

SHA1
c3ae7dc6215f20505d2fe9a6ac7d2bbd441c6ab6

SHA256
330d2cbaacedc261b329d96a4a6ba5d5127a324d446a7b54ff6a6ea44a17081b

SHA512
8a592587f059e4170a4b8cbd1a00930d43f85f0af21afa0e6a7ff99a8da2a708250201d2e592a549f5c2b11b5659ba587e18f51d96fc16de0c9acb2d1e806fb0

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\skehk.cc3

Filesize
23.0MB

MD5
ad79f491bab66890e01e501ec773ac47

SHA1
06e5a291e106bbef0077c9d46d820dba765c87d2

SHA256
fa3c8e3aa12840b29def91f08d24459be794e851aab9c1ceff2d9216ad4182b7

SHA512
c36df9251eb783b5adc49786a0bf03f7f42cd5b4aeb87e847912c0f163b431c12d5aaa617d97dcb56e9a84fca33834f3fbd3b342b4b0135e89161eeac3fcccc0

Download Submit
\??\c:\users\admin\appdata\local\mblwskskno

Filesize
23.9MB

MD5
bb0401863984318e5177d77d0f3b1c4a

SHA1
4662843d1e954bd3f02a74a65f87efb0f283b6a6

SHA256
2debdf2bf1cb877276bf9649dc401173e2d9c64754d3968e87b7e97b0c01731a

SHA512
b689ae77bfa090c5ae783ac927356ba762fb959444bc46ce7c85d8e6e1e6a824c09070bccf7102cdb0355b282d355c79cd4d8acb54b9b2f9cb1bfbe5c1dad31b

Download Submit
memory/4792-141-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/4792-137-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/4792-136-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/4928-132-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download