gh0strat | 33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673

Analysis

max time kernel
92s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe
Size

96KB
MD5

c22b9b7fd851e2f4d24d7fdc1d67a231
SHA1

6c309c1146fd6f753e3425f1c50c8a1a6a34d0ea
SHA256

33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673
SHA512

91b19696a93f21f403055b576e55e3257f739821aeafab7c77cfbd0ace9982ea892b8067e31f456d5cab7f41d6bbd27286370f73de12d92a16c3bf36b2788afc
SSDEEP

1536:lDFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prpnE+uv:l9S4jHS8q/3nTzePCwNUh4E9pnHuv

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f65-139.dat	family_gh0strat
behavioral2/files/0x0008000000022f65-138.dat	family_gh0strat
behavioral2/memory/2276-140-0x0000000000400000-0x000000000044E374-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000022f65-141.dat	family_gh0strat
behavioral2/files/0x0008000000022f65-143.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2276	jdmtflbuvn

Loads dropped DLL 3 IoCs

pid	Process
1648	svchost.exe
4884	svchost.exe
3324	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qqamqbgtmf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qrcwuykoyw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qawaaucxmo	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3276	1648	WerFault.exe	79
3808	4884	WerFault.exe	85
1688	3324	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2276	jdmtflbuvn
2276	jdmtflbuvn

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2276	jdmtflbuvn
Token: SeBackupPrivilege	2276	jdmtflbuvn
Token: SeBackupPrivilege	2276	jdmtflbuvn
Token: SeRestorePrivilege	2276	jdmtflbuvn
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeRestorePrivilege	1648	svchost.exe
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeSecurityPrivilege	1648	svchost.exe
Token: SeSecurityPrivilege	1648	svchost.exe
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeSecurityPrivilege	1648	svchost.exe
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeSecurityPrivilege	1648	svchost.exe
Token: SeBackupPrivilege	1648	svchost.exe
Token: SeRestorePrivilege	1648	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeRestorePrivilege	4884	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeSecurityPrivilege	4884	svchost.exe
Token: SeSecurityPrivilege	4884	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeSecurityPrivilege	4884	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeSecurityPrivilege	4884	svchost.exe
Token: SeBackupPrivilege	4884	svchost.exe
Token: SeRestorePrivilege	4884	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeRestorePrivilege	3324	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeSecurityPrivilege	3324	svchost.exe
Token: SeSecurityPrivilege	3324	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeSecurityPrivilege	3324	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeSecurityPrivilege	3324	svchost.exe
Token: SeBackupPrivilege	3324	svchost.exe
Token: SeRestorePrivilege	3324	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 2276	4740	33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe	78
PID 4740 wrote to memory of 2276	4740	33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe	78
PID 4740 wrote to memory of 2276	4740	33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe	78

C:\Users\Admin\AppData\Local\Temp\33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe
"C:\Users\Admin\AppData\Local\Temp\33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- \??\c:\users\admin\appdata\local\jdmtflbuvn
  "C:\Users\Admin\AppData\Local\Temp\33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe" a -sc:\users\admin\appdata\local\temp\33225bc390058d3bf7c1c73d8020faa3934420dec87c86e865bf48a4dd51f673.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 796
  2⤵
  - Program crash
  PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1648 -ip 1648
1⤵
PID:2988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 676
  2⤵
  - Program crash
  PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4884 -ip 4884
1⤵
PID:3372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 936
  2⤵
  - Program crash
  PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3324 -ip 3324
1⤵
PID:3328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\qvkep.cc3

Filesize
24.0MB

MD5
7dcbeda590366ab02ef21546b0575a77

SHA1
e56bf3af619abf5d5b5223f618e07ca1f13deaf8

SHA256
a5d06c5913ec7c2ff8e348a6e234d7125a18d4f036cc3cbf29150fc8791021f0

SHA512
75df7c6535afa14468c24c51c3a2591d6e687e07999dca3162dbbc438327591910e9f6a4f3921ee465af69e43a220beb62b1469f5da592736d771768b1cdce5c

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\qvkep.cc3

Filesize
24.0MB

MD5
7dcbeda590366ab02ef21546b0575a77

SHA1
e56bf3af619abf5d5b5223f618e07ca1f13deaf8

SHA256
a5d06c5913ec7c2ff8e348a6e234d7125a18d4f036cc3cbf29150fc8791021f0

SHA512
75df7c6535afa14468c24c51c3a2591d6e687e07999dca3162dbbc438327591910e9f6a4f3921ee465af69e43a220beb62b1469f5da592736d771768b1cdce5c

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\qvkep.cc3

Filesize
24.0MB

MD5
7dcbeda590366ab02ef21546b0575a77

SHA1
e56bf3af619abf5d5b5223f618e07ca1f13deaf8

SHA256
a5d06c5913ec7c2ff8e348a6e234d7125a18d4f036cc3cbf29150fc8791021f0

SHA512
75df7c6535afa14468c24c51c3a2591d6e687e07999dca3162dbbc438327591910e9f6a4f3921ee465af69e43a220beb62b1469f5da592736d771768b1cdce5c

Download Submit
C:\Users\Admin\AppData\Local\jdmtflbuvn

Filesize
20.2MB

MD5
25761a4f7b69eb784f2b4a8d70cbcfc5

SHA1
3979751282a83bbbe195c0cf8b575c6112a0a822

SHA256
b6f92f52252f3a1da8b9699c65b2bf0ca299e214ccbf0d6bb6615a77b058ac54

SHA512
b459b8b922e4d70a8dfa334bd93c8441f79e10df846b8b3b00e00b5853f4e0f2e13923dd887ff78e0bb578de198dd80916660c3c4b1125ba60bf43955e9c75e6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
06618c35564d84d4f1cd69474a4871cc

SHA1
6161822f5870055c161942d8c9ca0a997fc31e2f

SHA256
2dbb3a2fe42d062019d46d6ae5319ba692b3ba54ede9e3cee81f68db5e39f620

SHA512
550a83676057a6f0a4b765589b8689ac653b419054be12e9f381890807ed8c6b6474991216bb71e74a88db7ec10c1305dd1dce7e1e6de3d2db8706c956e77707

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
71a29cf2ec067df5583c4529a6dc03b4

SHA1
eb1e89bb5039948b06bad243791b5b72028af535

SHA256
fec705ffd78f95ded231ecbac06f2b9d8a7ffad86c16a0c49152d2a80bde33f7

SHA512
41d92e51a6357bbef90e1142dd8ef5b52963e498212653362260d8270a99488074ae404d460e4520ac208530844a5673dc0d399b3e6f1d84909e09200e8ad5f9

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\qvkep.cc3

Filesize
24.0MB

MD5
7dcbeda590366ab02ef21546b0575a77

SHA1
e56bf3af619abf5d5b5223f618e07ca1f13deaf8

SHA256
a5d06c5913ec7c2ff8e348a6e234d7125a18d4f036cc3cbf29150fc8791021f0

SHA512
75df7c6535afa14468c24c51c3a2591d6e687e07999dca3162dbbc438327591910e9f6a4f3921ee465af69e43a220beb62b1469f5da592736d771768b1cdce5c

Download Submit
\??\c:\users\admin\appdata\local\jdmtflbuvn

Filesize
20.2MB

MD5
25761a4f7b69eb784f2b4a8d70cbcfc5

SHA1
3979751282a83bbbe195c0cf8b575c6112a0a822

SHA256
b6f92f52252f3a1da8b9699c65b2bf0ca299e214ccbf0d6bb6615a77b058ac54

SHA512
b459b8b922e4d70a8dfa334bd93c8441f79e10df846b8b3b00e00b5853f4e0f2e13923dd887ff78e0bb578de198dd80916660c3c4b1125ba60bf43955e9c75e6

Download Submit
memory/2276-137-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download
memory/2276-140-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download
memory/4740-136-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download
memory/4740-132-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download