gh0strat | ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b

Analysis

max time kernel
190s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Size

121KB
MD5

1aa48fd8ced520290f7a5206f0812880
SHA1

27c0e8e57a14c08353652d601a2d46ddfd80ff55
SHA256

ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b
SHA512

3c6be6decca881dffb5a085c1826d47ff8badf9da960372d3b53f567ce60eb0d4163e6e0583d581d7573a6f9dcab9f1e0755287bafd34c27c70d93da89982e5c
SSDEEP

3072:/bXHC0G9e5Ueo6kqFU6IvxwyyyhBIpKXvqi2:/bXC0nX0Vvy4IpQqB

Score

10^/10

gh0strat rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/3924-132-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral2/memory/3924-134-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral2/files/0x000a000000022dfb-135.dat	family_gh0strat
behavioral2/files/0x000a000000022e09-136.dat	family_gh0strat
behavioral2/memory/3924-137-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral2/files/0x000a000000022e09-138.dat	family_gh0strat
behavioral2/files/0x000a000000022dfb-140.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3924-132-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral2/memory/3924-134-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral2/memory/3924-137-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect

Loads dropped DLL 2 IoCs

pid	Process
3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
1812	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Bwxy\Wnopqrstu.gif	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
File created	C:\Program Files (x86)\Bwxy\Wnopqrstu.gif	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeBackupPrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeBackupPrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeBackupPrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
Token: SeRestorePrivilege	3924	ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe

C:\Users\Admin\AppData\Local\Temp\ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe
"C:\Users\Admin\AppData\Local\Temp\ae387a1b9f0b7bb13fecb13ddab8361d51700d54ccffb8a8b80214b00415445b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2685700.dll

Filesize
148KB

MD5
1a50aedcb7d76feb510c9d04d44534a3

SHA1
00c81430a77c32a0f4ccdb73fb726755129f8e1d

SHA256
d39105ef3c9ff1a7363bee5d19070ae3e208181f93acec2aa67bd933c9d08630

SHA512
68d5658213557b43790bf238e259941ce76527c53f8571166c32acb9b28798ee3d463e7347dbcdeeca252075a3064431bfd18c02efc6dc063d78aacd45645edf

Download Submit
C:\2685700.dll

Filesize
148KB

MD5
1a50aedcb7d76feb510c9d04d44534a3

SHA1
00c81430a77c32a0f4ccdb73fb726755129f8e1d

SHA256
d39105ef3c9ff1a7363bee5d19070ae3e208181f93acec2aa67bd933c9d08630

SHA512
68d5658213557b43790bf238e259941ce76527c53f8571166c32acb9b28798ee3d463e7347dbcdeeca252075a3064431bfd18c02efc6dc063d78aacd45645edf

Download Submit
C:\Program Files (x86)\Bwxy\Wnopqrstu.gif

Filesize
8.3MB

MD5
b099c864c569bc914f477076b90f2912

SHA1
b1da66ace023e203938efe85b71499a7a549296d

SHA256
fc027fbf5279aa61a55d251f5c972ccb784fd6326f136925dd405bdc44da422c

SHA512
ff22ac951163a55f2b485db5a13b13d7b688dc7406bfa4366ff0c36a2a27b3f30da6bcf35246a613fb4393d726c54d3e5f2874c030ca6e5f5771aa0d208cee72

Download Submit
C:\WinWall32.gif

Filesize
117B

MD5
17af23bc7354ccb0bb21cb2781951a0a

SHA1
4477107e8a987361942f5b4731a77403b96f0339

SHA256
34e17631b7bc8240bbfd4ed564d69408356ed222d267a8c5783e78736da7b639

SHA512
1020e8e12103e250f55644ed400f6e522f98bf4a607a0200e71cf92efad5ff48cb5130731e2a011c85c881a3884962d01c33da77c932babdb085a88c7ba68ee1

Download Submit
\??\c:\program files (x86)\bwxy\wnopqrstu.gif

Filesize
8.3MB

MD5
b099c864c569bc914f477076b90f2912

SHA1
b1da66ace023e203938efe85b71499a7a549296d

SHA256
fc027fbf5279aa61a55d251f5c972ccb784fd6326f136925dd405bdc44da422c

SHA512
ff22ac951163a55f2b485db5a13b13d7b688dc7406bfa4366ff0c36a2a27b3f30da6bcf35246a613fb4393d726c54d3e5f2874c030ca6e5f5771aa0d208cee72

Download Submit
memory/3924-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download