gh0strat | dfe88c225ba76e233c2dced11d32b3cf994466692dd8ab85be655907231e8acb

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1433.exe
Size

89KB
MD5

5aba57f11f1176d0a81dc28af9e77bdc
SHA1

efd087836b0bdd281b984bde113ab7f234cb38da
SHA256

4cc6f99c47bac7dd9f849aed8b0509511d5015efc80a284ba9a66cc60a36a559
SHA512

12ff3484fd7cfa6f290159a32e689f5130932806b4b2ccedae888eff30f420686ebefcdf5bb3e1013257830fc64f925cd26f776855ffb0b48465de64420ed59d
SSDEEP

1536:A9IywkUpmqyz2Wq9/lwiMbtzW56lq1eFd6+BHy7dHc4uNg/t4Bu6:A9IYiy6bjkDkMvHB8cj46

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral26/memory/4348-133-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral26/memory/4348-134-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral26/memory/5036-138-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral26/memory/5036-139-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral26/files/0x0007000000022e2b-140.dat	family_gh0strat
behavioral26/files/0x0007000000022e2b-141.dat	family_gh0strat
behavioral26/memory/5036-142-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral26/files/0x0007000000022e2b-143.dat	family_gh0strat
behavioral26/memory/5036-144-0x0000000000400000-0x000000000044A000-memory.dmp	family_gh0strat
behavioral26/files/0x0007000000022e2b-146.dat	family_gh0strat
behavioral26/files/0x0007000000022e2b-148.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
5036	gjheeflene

Loads dropped DLL 4 IoCs

pid	Process
4952	svchost.exe
1380	svchost.exe
1568	svchost.exe
2136	svchost.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xghywybdji	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xhqtxptkvw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xgxeuiivws	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xhboagmril	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xydbpmrmib	svchost.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2944	4952	WerFault.exe	81
1124	1380	WerFault.exe	82
3340	1568	WerFault.exe	88
4148	2136	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	gjheeflene
5036	gjheeflene

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeRestorePrivilege	5036	gjheeflene
Token: SeBackupPrivilege	5036	gjheeflene
Token: SeBackupPrivilege	5036	gjheeflene
Token: SeRestorePrivilege	5036	gjheeflene
Token: SeRestorePrivilege	5036	gjheeflene
Token: SeBackupPrivilege	5036	gjheeflene
Token: SeBackupPrivilege	5036	gjheeflene
Token: SeRestorePrivilege	5036	gjheeflene
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeRestorePrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeSecurityPrivilege	4952	svchost.exe
Token: SeBackupPrivilege	4952	svchost.exe
Token: SeRestorePrivilege	4952	svchost.exe
Token: SeBackupPrivilege	1380	svchost.exe
Token: SeRestorePrivilege	1380	svchost.exe
Token: SeBackupPrivilege	1380	svchost.exe
Token: SeBackupPrivilege	1380	svchost.exe
Token: SeSecurityPrivilege	1380	svchost.exe
Token: SeSecurityPrivilege	1380	svchost.exe
Token: SeBackupPrivilege	1380	svchost.exe
Token: SeBackupPrivilege	1380	svchost.exe
Token: SeSecurityPrivilege	1380	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeRestorePrivilege	1568	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeSecurityPrivilege	1568	svchost.exe
Token: SeSecurityPrivilege	1568	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeSecurityPrivilege	1568	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeSecurityPrivilege	1568	svchost.exe
Token: SeBackupPrivilege	1568	svchost.exe
Token: SeRestorePrivilege	1568	svchost.exe
Token: SeBackupPrivilege	2136	svchost.exe
Token: SeRestorePrivilege	2136	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 5036	4348	1433.exe	80
PID 4348 wrote to memory of 5036	4348	1433.exe	80
PID 4348 wrote to memory of 5036	4348	1433.exe	80

C:\Users\Admin\AppData\Local\Temp\1433.exe
"C:\Users\Admin\AppData\Local\Temp\1433.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4348
- \??\c:\users\admin\appdata\local\gjheeflene
  "C:\Users\Admin\AppData\Local\Temp\1433.exe" a -sc:\users\admin\appdata\local\temp\1433.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 932
  2⤵
  - Program crash
  PID:2944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1112
  2⤵
  - Program crash
  PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4952 -ip 4952
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1380 -ip 1380
1⤵
PID:1564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1116
  2⤵
  - Program crash
  PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1568 -ip 1568
1⤵
PID:3520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 904
  2⤵
  - Program crash
  PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2136 -ip 2136
1⤵
PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DRM\%SESSIONNAME%\quwbd.cc3

Filesize
22.0MB

MD5
f8bd2e4929bed38deee447d364457172

SHA1
09767a483b4397f4dd947f1c028d63fb70d09fb5

SHA256
eeda5093f7ad46832761dda3cd2269d111d40652b7a4426cef0517bf1cd4652e

SHA512
bf130e7e01244a7420c6fe03927592d4e3518b22256f50227c3a25ff382389178246e890d35fb7336b4c4e0c3da859f4ad36fb61763cf7802cd7e0045bb9f29c

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\quwbd.cc3

Filesize
22.0MB

MD5
f8bd2e4929bed38deee447d364457172

SHA1
09767a483b4397f4dd947f1c028d63fb70d09fb5

SHA256
eeda5093f7ad46832761dda3cd2269d111d40652b7a4426cef0517bf1cd4652e

SHA512
bf130e7e01244a7420c6fe03927592d4e3518b22256f50227c3a25ff382389178246e890d35fb7336b4c4e0c3da859f4ad36fb61763cf7802cd7e0045bb9f29c

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\quwbd.cc3

Filesize
22.0MB

MD5
f8bd2e4929bed38deee447d364457172

SHA1
09767a483b4397f4dd947f1c028d63fb70d09fb5

SHA256
eeda5093f7ad46832761dda3cd2269d111d40652b7a4426cef0517bf1cd4652e

SHA512
bf130e7e01244a7420c6fe03927592d4e3518b22256f50227c3a25ff382389178246e890d35fb7336b4c4e0c3da859f4ad36fb61763cf7802cd7e0045bb9f29c

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\quwbd.cc3

Filesize
22.0MB

MD5
f8bd2e4929bed38deee447d364457172

SHA1
09767a483b4397f4dd947f1c028d63fb70d09fb5

SHA256
eeda5093f7ad46832761dda3cd2269d111d40652b7a4426cef0517bf1cd4652e

SHA512
bf130e7e01244a7420c6fe03927592d4e3518b22256f50227c3a25ff382389178246e890d35fb7336b4c4e0c3da859f4ad36fb61763cf7802cd7e0045bb9f29c

Download Submit
C:\Users\Admin\AppData\Local\gjheeflene

Filesize
23.8MB

MD5
b4f59130680880d30156dc24d8816e6a

SHA1
3495052051ff989d2b3ab1fb9e9751f3becad5f5

SHA256
66029abe08feecd36619bcb8832f02bd16f1ca1dfd36a1bbc317e7d6dd9a8362

SHA512
039e95dfb3b7c29964edd032b419a7aad80572989530c90ee4d883097a0dfa35621f38edae13f13afd15219c1fc4102d4cf6918c343a97f56165e6c3c9918b70

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
b2243b095ed19527246b12ab8e1e243c

SHA1
3be7541686196d28bd082c02ef0367a170db5ef9

SHA256
7788a046e02c82704f2704e44a029e4bfe1ed422941a8fda825a0c1b9feeb242

SHA512
de8b58644e26455d844678df7cb856f32a18f491b6db28d60546b04f3c2794254e41ab2d97a98e481ed463a38af425f870a4c7edfc35914d0b31dd1c736da54e

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
751f767685cd7254548284ddd13b4773

SHA1
9fecbf658459c08f422eb7a6999e35d2519a736f

SHA256
db0c83b5c81caff89cfe488fdf3bb15deb88eaca20ad778fea75515811157681

SHA512
51c99dd8dcac5f567fdcfde9c8d6ea0bbd90833f48fcb2e4ff2848b269869baedbf2ecd7db9a3b78699006619d7e343a0b14c0d81bc6c85dbc951d339af3f71f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
408B

MD5
492fc1911f681393f1dd79b8235f1b82

SHA1
2eb2e1f9fe1ae21b6e960c0ca9b27b65f5d60370

SHA256
9155fb711150112ab7e301c2d1e914d4255b9719ff8dcec0168b06be0b1e5451

SHA512
c7964c92de4165ea686234ab7cee872549695c0aefc2829c9345d9787c153914a34a7a34826ed5f31f1035814cca14817635ca2e2a2873ec0be3db7c083565d9

Download Submit
\??\c:\programdata\drm\%sessionname%\quwbd.cc3

Filesize
22.0MB

MD5
f8bd2e4929bed38deee447d364457172

SHA1
09767a483b4397f4dd947f1c028d63fb70d09fb5

SHA256
eeda5093f7ad46832761dda3cd2269d111d40652b7a4426cef0517bf1cd4652e

SHA512
bf130e7e01244a7420c6fe03927592d4e3518b22256f50227c3a25ff382389178246e890d35fb7336b4c4e0c3da859f4ad36fb61763cf7802cd7e0045bb9f29c

Download Submit
\??\c:\users\admin\appdata\local\gjheeflene

Filesize
23.8MB

MD5
b4f59130680880d30156dc24d8816e6a

SHA1
3495052051ff989d2b3ab1fb9e9751f3becad5f5

SHA256
66029abe08feecd36619bcb8832f02bd16f1ca1dfd36a1bbc317e7d6dd9a8362

SHA512
039e95dfb3b7c29964edd032b419a7aad80572989530c90ee4d883097a0dfa35621f38edae13f13afd15219c1fc4102d4cf6918c343a97f56165e6c3c9918b70

Download Submit
memory/4348-132-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4348-134-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4348-133-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5036-142-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5036-139-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5036-144-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5036-138-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download