gh0strat | e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df

Analysis

max time kernel
188s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe
Size

94KB
MD5

68212e83c004e10fa0a30f53782d48a5
SHA1

56a4b6deb1d832ff101d38589eda257752bd0ffe
SHA256

e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df
SHA512

84c3822a02ad2da2a8befd1dcc2fddeb3033a561a8170d36e3073e5dfee528f3d5eaa8df8378a4f6613e3ded2d73a3f0485b51728842e50bdb95305cf936a33a
SSDEEP

1536:bklFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prfJgGzgIzDgm:bkrS4jHS8q/3nTzePCwNUh4E9jgADj

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023149-139.dat	family_gh0strat
behavioral2/files/0x0008000000023149-140.dat	family_gh0strat
behavioral2/memory/260-141-0x0000000000400000-0x000000000044C613-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
260	ligripledq

Loads dropped DLL 1 IoCs

pid	Process
3352	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcodiyeqpe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
260	ligripledq
260	ligripledq

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	260	ligripledq
Token: SeBackupPrivilege	260	ligripledq
Token: SeBackupPrivilege	260	ligripledq
Token: SeRestorePrivilege	260	ligripledq
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeRestorePrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeSecurityPrivilege	3352	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 260	3436	e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe	82
PID 3436 wrote to memory of 260	3436	e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe	82
PID 3436 wrote to memory of 260	3436	e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe	82

C:\Users\Admin\AppData\Local\Temp\e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe
"C:\Users\Admin\AppData\Local\Temp\e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3436
- \??\c:\users\admin\appdata\local\ligripledq
  "C:\Users\Admin\AppData\Local\Temp\e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe" a -sc:\users\admin\appdata\local\temp\e903cc9243798e9af90a0c93f9c62bd001a597c39e4cd95e3fe25b40eed237df.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\iggyj.cc3

Filesize
19.1MB

MD5
31d69d6b28b137e91b5cd74ffbb340ac

SHA1
1f083f7fe0ca3ec7e00df5bd6f763ee2a80bf4d0

SHA256
efd47f0273f4e16ef62154f224e4397fb987f7e680b1bc2e9e0fc9851d4e2ff3

SHA512
2bc303c48b383aee7fbf6cd2b1a23a32c0c8ddeb66469287d441dfe0ae9121f490328305c762be7baa4707ad5ee3e597c7f5fd2420525c6c720c2931484019b8

Download Submit
C:\Users\Admin\AppData\Local\ligripledq

Filesize
21.6MB

MD5
97a95ac39dc832f3367b3f6568dceb85

SHA1
3e2d58643c4a0889de4aa1f28fdf51c84045b574

SHA256
f41c2383fcc6cdd062b72a0626a0099bccfaa4c630011d5adff00b8379127973

SHA512
55b0336ea68154b8364645afa9c2a6258ed493552820fb3e7838cf7db3e94c26aacba3aa9025d8edabee09c6535217444a7124fd6a29d7c4613953ca0b1a1c27

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\iggyj.cc3

Filesize
19.1MB

MD5
31d69d6b28b137e91b5cd74ffbb340ac

SHA1
1f083f7fe0ca3ec7e00df5bd6f763ee2a80bf4d0

SHA256
efd47f0273f4e16ef62154f224e4397fb987f7e680b1bc2e9e0fc9851d4e2ff3

SHA512
2bc303c48b383aee7fbf6cd2b1a23a32c0c8ddeb66469287d441dfe0ae9121f490328305c762be7baa4707ad5ee3e597c7f5fd2420525c6c720c2931484019b8

Download Submit
\??\c:\users\admin\appdata\local\ligripledq

Filesize
21.6MB

MD5
97a95ac39dc832f3367b3f6568dceb85

SHA1
3e2d58643c4a0889de4aa1f28fdf51c84045b574

SHA256
f41c2383fcc6cdd062b72a0626a0099bccfaa4c630011d5adff00b8379127973

SHA512
55b0336ea68154b8364645afa9c2a6258ed493552820fb3e7838cf7db3e94c26aacba3aa9025d8edabee09c6535217444a7124fd6a29d7c4613953ca0b1a1c27

Download Submit
memory/260-137-0x0000000000400000-0x000000000044C613-memory.dmp

Filesize
305KB

Download
memory/260-138-0x0000000000400000-0x000000000044C613-memory.dmp

Filesize
305KB

Download
memory/260-141-0x0000000000400000-0x000000000044C613-memory.dmp

Filesize
305KB

Download
memory/3436-132-0x0000000000400000-0x000000000044C613-memory.dmp

Filesize
305KB

Download
memory/3436-135-0x0000000000400000-0x000000000044C613-memory.dmp

Filesize
305KB

Download