gh0strat | ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f

Analysis

max time kernel
151s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe
Size

94KB
MD5

1651a4b94398baec98cde5bfe5e4d6b2
SHA1

27729660be6b1a8797823dca57116ffd7c789d9f
SHA256

ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f
SHA512

196cc06b2e01a09ae1f922e4087ac61c567c9609768a7f6141221b770c6029f77400746dac4dc56b52ab1ff17b08f507fd842aae4d666b7597a279cc9de15ae4
SSDEEP

1536:crFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prj2c3JIi:cFS4jHS8q/3nTzePCwNUh4E9jb6i

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e29-138.dat	family_gh0strat
behavioral2/files/0x0007000000022e29-139.dat	family_gh0strat
behavioral2/files/0x0009000000022e29-140.dat	family_gh0strat
behavioral2/files/0x0009000000022e29-141.dat	family_gh0strat
behavioral2/memory/4704-142-0x0000000000400000-0x000000000044E1F8-memory.dmp	family_gh0strat
behavioral2/files/0x0009000000022e29-144.dat	family_gh0strat
behavioral2/files/0x0009000000022e29-146.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4704	gtihbnjsmr

Loads dropped DLL 4 IoCs

pid	Process
3872	svchost.exe
3876	svchost.exe
2388	svchost.exe
512	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mlpcgmfiek	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\madymgkhtc	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mvmaxvgpwl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\meqyeiqgws	svchost.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2600	3872	WerFault.exe	80
4608	3876	WerFault.exe	87
1860	2388	WerFault.exe	90
2512	512	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4704	gtihbnjsmr
4704	gtihbnjsmr

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeRestorePrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	4704	gtihbnjsmr
Token: SeRestorePrivilege	4704	gtihbnjsmr
Token: SeRestorePrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	3872	svchost.exe
Token: SeRestorePrivilege	3872	svchost.exe
Token: SeBackupPrivilege	4704	gtihbnjsmr
Token: SeRestorePrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	3872	svchost.exe
Token: SeBackupPrivilege	3872	svchost.exe
Token: SeSecurityPrivilege	3872	svchost.exe
Token: SeSecurityPrivilege	3872	svchost.exe
Token: SeBackupPrivilege	3872	svchost.exe
Token: SeBackupPrivilege	3872	svchost.exe
Token: SeSecurityPrivilege	3872	svchost.exe
Token: SeBackupPrivilege	3872	svchost.exe
Token: SeBackupPrivilege	3872	svchost.exe
Token: SeSecurityPrivilege	3872	svchost.exe
Token: SeRestorePrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	4704	gtihbnjsmr
Token: SeRestorePrivilege	4704	gtihbnjsmr
Token: SeBackupPrivilege	3876	svchost.exe
Token: SeRestorePrivilege	3876	svchost.exe
Token: SeBackupPrivilege	3876	svchost.exe
Token: SeBackupPrivilege	3876	svchost.exe
Token: SeSecurityPrivilege	3876	svchost.exe
Token: SeSecurityPrivilege	3876	svchost.exe
Token: SeBackupPrivilege	3876	svchost.exe
Token: SeBackupPrivilege	3876	svchost.exe
Token: SeSecurityPrivilege	3876	svchost.exe
Token: SeBackupPrivilege	3876	svchost.exe
Token: SeBackupPrivilege	3876	svchost.exe
Token: SeSecurityPrivilege	3876	svchost.exe
Token: SeBackupPrivilege	2388	svchost.exe
Token: SeRestorePrivilege	2388	svchost.exe
Token: SeBackupPrivilege	2388	svchost.exe
Token: SeBackupPrivilege	2388	svchost.exe
Token: SeSecurityPrivilege	2388	svchost.exe
Token: SeSecurityPrivilege	2388	svchost.exe
Token: SeBackupPrivilege	2388	svchost.exe
Token: SeBackupPrivilege	2388	svchost.exe
Token: SeSecurityPrivilege	2388	svchost.exe
Token: SeBackupPrivilege	2388	svchost.exe
Token: SeBackupPrivilege	2388	svchost.exe
Token: SeSecurityPrivilege	2388	svchost.exe
Token: SeBackupPrivilege	512	svchost.exe
Token: SeRestorePrivilege	512	svchost.exe
Token: SeBackupPrivilege	512	svchost.exe
Token: SeBackupPrivilege	512	svchost.exe
Token: SeSecurityPrivilege	512	svchost.exe
Token: SeSecurityPrivilege	512	svchost.exe
Token: SeBackupPrivilege	512	svchost.exe
Token: SeBackupPrivilege	512	svchost.exe
Token: SeSecurityPrivilege	512	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4704	3672	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe	79
PID 3672 wrote to memory of 4704	3672	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe	79
PID 3672 wrote to memory of 4704	3672	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe	79

C:\Users\Admin\AppData\Local\Temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe
"C:\Users\Admin\AppData\Local\Temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3672
- \??\c:\users\admin\appdata\local\gtihbnjsmr
  "C:\Users\Admin\AppData\Local\Temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe" a -sc:\users\admin\appdata\local\temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1040
  2⤵
  - Program crash
  PID:2600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3872 -ip 3872
1⤵
PID:3568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1116
  2⤵
  - Program crash
  PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3876 -ip 3876
1⤵
PID:4160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1108
  2⤵
  - Program crash
  PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2388 -ip 2388
1⤵
PID:4756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1112
  2⤵
  - Program crash
  PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 512 -ip 512
1⤵
PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\quxlt.cc3

Filesize
19.1MB

MD5
e9e181a02d2c2a204a06ad272fed2d14

SHA1
a64dc45e3886360d91d00fc8f3b1f9ba0ac4ceda

SHA256
d131d49193b3678507bc4f038455b2a1634a920b26fc523954206b7695c44a47

SHA512
c4d220fc66d496ffb810eb17d8e21c1300b080a72cd598cb8d2f94170a7d5fdc6659fb140bd2025b98e6c0f1a6ad87466b42a1a5602999106eb9936ac47aa037

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\quxlt.cc3

Filesize
24.0MB

MD5
1c73fbce90335375dfe8c044b2c00369

SHA1
fcb67b00d3d5b29172cf4bec5052d42993759ed1

SHA256
31982c237fabd7dda1aba53c4688b288751bebe29e6e17c7a5d329d04338224f

SHA512
724e330e2f2bbe9dc187ca22d9fd92bd6848253e4e8bc084c8f6003e897789a9a123f5380bc7451e48e204a6d8caa66651178b71b13d540d0b2c2ee9cba17975

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\quxlt.cc3

Filesize
24.0MB

MD5
1c73fbce90335375dfe8c044b2c00369

SHA1
fcb67b00d3d5b29172cf4bec5052d42993759ed1

SHA256
31982c237fabd7dda1aba53c4688b288751bebe29e6e17c7a5d329d04338224f

SHA512
724e330e2f2bbe9dc187ca22d9fd92bd6848253e4e8bc084c8f6003e897789a9a123f5380bc7451e48e204a6d8caa66651178b71b13d540d0b2c2ee9cba17975

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\quxlt.cc3

Filesize
24.0MB

MD5
1c73fbce90335375dfe8c044b2c00369

SHA1
fcb67b00d3d5b29172cf4bec5052d42993759ed1

SHA256
31982c237fabd7dda1aba53c4688b288751bebe29e6e17c7a5d329d04338224f

SHA512
724e330e2f2bbe9dc187ca22d9fd92bd6848253e4e8bc084c8f6003e897789a9a123f5380bc7451e48e204a6d8caa66651178b71b13d540d0b2c2ee9cba17975

Download Submit
C:\Users\Admin\AppData\Local\gtihbnjsmr

Filesize
24.0MB

MD5
3d72a2d0f6d8ccd13533cd4b0bcedc54

SHA1
2b76abfdac5e779caca568c1da9660882e771af8

SHA256
f4854f1a5ec5ed4155d8fedce584d7af4d269988332fc83bafd04d4ab37161a8

SHA512
9e7582bb3f83f0be2c8750bca8f04674c36944fdb64d252f3eac714efbaee317b77751cb34c08164770b5e475b77edff3d2e1d2c81b102cc9f47b46547d0bd58

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
0448ceadb7196ddc06704fbf01a8c444

SHA1
95dde5cdf5a7f19881dcd5f58468be6ef3e8522e

SHA256
b7e368d355335d8387a5810fc850d980fa8e1dc45a16c59e7275d999bd53ebde

SHA512
89b059618dc4c4d33c9674c77a3284d644847b6b2c7077ca0fac1137fbee4d1ab7c35aa5ace067c16b3fde8afc3c874bf54af9fd0f6b028035ef39f43379a69e

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
df170092c0cb84b48ae5b72a60f5e5bb

SHA1
0b1569735fe2f44ed9ecc92d901ec286d5bb430f

SHA256
8912cbc8aff37db4cd3f02b9c4bf615608920473fa7a09ab1ebc8eaaf1e1a7a2

SHA512
ba167b9b352762948fb26f2f79f6f53639af044e7b401519b61f69575493c4b88b76f8f8cd29dc5685b5a580b1af8e285a1dadede9938a7ef1cfde0d26720725

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
404B

MD5
c2f6ec606698dcf1a84919321ec31500

SHA1
66478575eded4515d798e59978b108ca801604b4

SHA256
d59098b095c37255f48ab21322010a5a7bb868a05398d0f2ef7974a27f435c9d

SHA512
4f8ee2bcd0bee88f1afcb744d0699aa14e7f1710e4adfb2f6956ab1ec7ca9b5ef8f3371a969bf000bd24d2a1d520c260c5fe579df3cc450858647ddd31212ba1

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\quxlt.cc3

Filesize
19.1MB

MD5
e9e181a02d2c2a204a06ad272fed2d14

SHA1
a64dc45e3886360d91d00fc8f3b1f9ba0ac4ceda

SHA256
d131d49193b3678507bc4f038455b2a1634a920b26fc523954206b7695c44a47

SHA512
c4d220fc66d496ffb810eb17d8e21c1300b080a72cd598cb8d2f94170a7d5fdc6659fb140bd2025b98e6c0f1a6ad87466b42a1a5602999106eb9936ac47aa037

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\quxlt.cc3

Filesize
24.0MB

MD5
1c73fbce90335375dfe8c044b2c00369

SHA1
fcb67b00d3d5b29172cf4bec5052d42993759ed1

SHA256
31982c237fabd7dda1aba53c4688b288751bebe29e6e17c7a5d329d04338224f

SHA512
724e330e2f2bbe9dc187ca22d9fd92bd6848253e4e8bc084c8f6003e897789a9a123f5380bc7451e48e204a6d8caa66651178b71b13d540d0b2c2ee9cba17975

Download Submit
\??\c:\users\admin\appdata\local\gtihbnjsmr

Filesize
24.0MB

MD5
3d72a2d0f6d8ccd13533cd4b0bcedc54

SHA1
2b76abfdac5e779caca568c1da9660882e771af8

SHA256
f4854f1a5ec5ed4155d8fedce584d7af4d269988332fc83bafd04d4ab37161a8

SHA512
9e7582bb3f83f0be2c8750bca8f04674c36944fdb64d252f3eac714efbaee317b77751cb34c08164770b5e475b77edff3d2e1d2c81b102cc9f47b46547d0bd58

Download Submit
memory/3672-132-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download
memory/4704-142-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download
memory/4704-137-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download
memory/4704-136-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download