gh0strat | ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b

General

Target

ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Size

121KB
MD5

1aa48fd8ced520290f7a5206f0812880
SHA1

27c0e8e57a14c08353652d601a2d46ddfd80ff55
SHA256

ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b
SHA512

3c6be6decca881dffb5a085c1826d47ff8badf9da960372d3b53f567ce60eb0d4163e6e0583d581d7573a6f9dcab9f1e0755287bafd34c27c70d93da89982e5c
SSDEEP

3072:/bXHC0G9e5Ueo6kqFU6IvxwyyyhBIpKXvqi2:/bXC0nX0Vvy4IpQqB

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/1460-54-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/1460-56-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000014142-58.dat	family_gh0strat
behavioral1/files/0x000a000000014142-59.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-62.dat	family_gh0strat
behavioral1/memory/1460-63-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1460-54-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral1/memory/1460-56-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral1/memory/1460-63-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect

Deletes itself 1 IoCs

pid	Process
856	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
856	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Bwxy\Wnopqrstu.gif	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
File created	C:\Program Files (x86)\Bwxy\Wnopqrstu.gif	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeBackupPrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeBackupPrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeBackupPrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	1460	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe

C:\Users\Admin\AppData\Local\Temp\ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
"C:\Users\Admin\AppData\Local\Temp\ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2893200.dll

Filesize
148KB

MD5
1a50aedcb7d76feb510c9d04d44534a3

SHA1
00c81430a77c32a0f4ccdb73fb726755129f8e1d

SHA256
d39105ef3c9ff1a7363bee5d19070ae3e208181f93acec2aa67bd933c9d08630

SHA512
68d5658213557b43790bf238e259941ce76527c53f8571166c32acb9b28798ee3d463e7347dbcdeeca252075a3064431bfd18c02efc6dc063d78aacd45645edf

Download Submit
C:\WinWall32.gif

Filesize
117B

MD5
e166bd9aa54ee59071d3905bf0b3a17f

SHA1
5299444743427d4d9a6a427140a6e4f6f1aaee3b

SHA256
6289083e5383998b7053c831598cba50dfb5708671663f7e1900610efce9842e

SHA512
5627962c96e63aad0526c11858187b49ccf1a040f183ecdd43f3a29328e0e71118ce64ea57a71c105b2f5ee23a98b97f556f4be9ce29a4b088f21f57ea6edb52

Download Submit
\??\c:\program files (x86)\bwxy\wnopqrstu.gif

Filesize
811KB

MD5
f6d91e0fafedff8c2f0ca8d723b11b3d

SHA1
75d343258f229462ac3979468d9c49ef221aaa81

SHA256
da38df24f342325a1222e3bcce78b2f63fbf74e4d8508fc125c9f46072eb1694

SHA512
471ff5d723ada4561f68908b51829ac33caa3851046ea4f981d2b2d93ce9896ba79604d25ebb0b62d8994dd632644d6fee49330a7f423493723ef66eba334327

Download Submit
\Program Files (x86)\Bwxy\Wnopqrstu.gif

Filesize
811KB

MD5
f6d91e0fafedff8c2f0ca8d723b11b3d

SHA1
75d343258f229462ac3979468d9c49ef221aaa81

SHA256
da38df24f342325a1222e3bcce78b2f63fbf74e4d8508fc125c9f46072eb1694

SHA512
471ff5d723ada4561f68908b51829ac33caa3851046ea4f981d2b2d93ce9896ba79604d25ebb0b62d8994dd632644d6fee49330a7f423493723ef66eba334327

Download Submit
memory/1460-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-57-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1460-63-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing