gh0strat | b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65

Analysis

max time kernel
152s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 08:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Size

192KB
MD5

13356674c0b28f5de14e13f606d37530
SHA1

10400bc09b12ca3b4a75bb9125320bd575cffb96
SHA256

b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65
SHA512

3ce0cc561b6e6a52d9fedfa55c8314596ab17aa29bc24af96561ab9846f89a662db0cc023baf0101c1dc9b5b2aa71d9220067764f1b6ae16c5abe1398e00076b
SSDEEP

3072:OQk3DH+bK+snWjvUJFMKkj8aPBHA40qcVWhUXYvpSVxoTVrbMzYiw/mEFVg:OQkTH+bpsnWjvEkrPadqc6UIvK6jt+

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022e13-132.dat	family_gh0strat
behavioral2/files/0x0009000000022e13-133.dat	family_gh0strat
behavioral2/files/0x0009000000022e13-134.dat	family_gh0strat
behavioral2/files/0x0009000000022e13-135.dat	family_gh0strat
behavioral2/files/0x0009000000022e13-136.dat	family_gh0strat
behavioral2/files/0x0009000000022e13-137.dat	family_gh0strat
behavioral2/files/0x0009000000022e13-138.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 6 IoCs

pid	Process
3476	svchost.exe
1488	svchost.exe
2608	svchost.exe
1984	svchost.exe
3404	svchost.exe
4280	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jqiiv.cc3	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2176	3476	WerFault.exe	86
2308	1488	WerFault.exe	93
3492	2608	WerFault.exe	96
2012	1984	WerFault.exe	99
1728	3404	WerFault.exe	106
4616	4280	WerFault.exe	111

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeBackupPrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
Token: SeRestorePrivilege	2964	b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe

C:\Users\Admin\AppData\Local\Temp\b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe
"C:\Users\Admin\AppData\Local\Temp\b562084d28609c489257c3dac5ef1384396cae2a10664dac04991d9d2cc36c65.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 596
  2⤵
  - Program crash
  PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3476 -ip 3476
1⤵
PID:3436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:1488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 596
  2⤵
  - Program crash
  PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1488 -ip 1488
1⤵
PID:1284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 600
  2⤵
  - Program crash
  PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2608 -ip 2608
1⤵
PID:1200

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:1984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 592
  2⤵
  - Program crash
  PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1984 -ip 1984
1⤵
PID:4560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 592
  2⤵
  - Program crash
  PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3404 -ip 3404
1⤵
PID:4176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:4280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 596
  2⤵
  - Program crash
  PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4280 -ip 4280
1⤵
PID:1040

Network

DNS

96.108.152.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.108.152.52.in-addr.arpa

IN PTR

Response
DNS

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

8.248.99.254:80

322 B
7
8.248.99.254:80

260 B
5
93.184.220.29:80

322 B
7
93.184.220.29:80

260 B
5
93.184.220.29:80

260 B
5
104.208.16.90:443

322 B
7
93.184.221.240:80

46 B
40 B
1
1
93.184.221.240:80

46 B
40 B
1
1
8.248.99.254:80

322 B
7
8.248.99.254:80

322 B
7
104.80.225.205:443

322 B
7
8.247.211.254:80

322 B
7
8.238.20.126:80

46 B
40 B
1
1

8.8.8.8:53

96.108.152.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

96.108.152.52.in-addr.arpa
8.8.8.8:53

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\jqiiv.cc3

Filesize
23.0MB

MD5
7b19387c3bd2b30d1c64e2a485664749

SHA1
411e45fdf928752056019f35f0cbbed59f544d9d

SHA256
53a6f2db4f8b5c07797d47621bdcd7b476c7ab4076243581f0832499075bcbce

SHA512
240c542aadc045be68ed8e01ba6cab44c6ff152c9cc96f3d313224527784f655559432ec9f69a127fcdcd6c89fa981a119a88beb51970f6e8186acf84d9487ee

Download Submit
C:\Windows\SysWOW64\jqiiv.cc3

Filesize
23.0MB

MD5
7b19387c3bd2b30d1c64e2a485664749

SHA1
411e45fdf928752056019f35f0cbbed59f544d9d

SHA256
53a6f2db4f8b5c07797d47621bdcd7b476c7ab4076243581f0832499075bcbce

SHA512
240c542aadc045be68ed8e01ba6cab44c6ff152c9cc96f3d313224527784f655559432ec9f69a127fcdcd6c89fa981a119a88beb51970f6e8186acf84d9487ee

Download Submit
C:\Windows\SysWOW64\jqiiv.cc3

Filesize
23.0MB

MD5
7b19387c3bd2b30d1c64e2a485664749

SHA1
411e45fdf928752056019f35f0cbbed59f544d9d

SHA256
53a6f2db4f8b5c07797d47621bdcd7b476c7ab4076243581f0832499075bcbce

SHA512
240c542aadc045be68ed8e01ba6cab44c6ff152c9cc96f3d313224527784f655559432ec9f69a127fcdcd6c89fa981a119a88beb51970f6e8186acf84d9487ee

Download Submit
C:\Windows\SysWOW64\jqiiv.cc3

Filesize
23.0MB

MD5
7b19387c3bd2b30d1c64e2a485664749

SHA1
411e45fdf928752056019f35f0cbbed59f544d9d

SHA256
53a6f2db4f8b5c07797d47621bdcd7b476c7ab4076243581f0832499075bcbce

SHA512
240c542aadc045be68ed8e01ba6cab44c6ff152c9cc96f3d313224527784f655559432ec9f69a127fcdcd6c89fa981a119a88beb51970f6e8186acf84d9487ee

Download Submit
C:\Windows\SysWOW64\jqiiv.cc3

Filesize
23.0MB

MD5
7b19387c3bd2b30d1c64e2a485664749

SHA1
411e45fdf928752056019f35f0cbbed59f544d9d

SHA256
53a6f2db4f8b5c07797d47621bdcd7b476c7ab4076243581f0832499075bcbce

SHA512
240c542aadc045be68ed8e01ba6cab44c6ff152c9cc96f3d313224527784f655559432ec9f69a127fcdcd6c89fa981a119a88beb51970f6e8186acf84d9487ee

Download Submit
C:\Windows\SysWOW64\jqiiv.cc3

Filesize
23.0MB

MD5
7b19387c3bd2b30d1c64e2a485664749

SHA1
411e45fdf928752056019f35f0cbbed59f544d9d

SHA256
53a6f2db4f8b5c07797d47621bdcd7b476c7ab4076243581f0832499075bcbce

SHA512
240c542aadc045be68ed8e01ba6cab44c6ff152c9cc96f3d313224527784f655559432ec9f69a127fcdcd6c89fa981a119a88beb51970f6e8186acf84d9487ee

Download Submit
\??\c:\windows\SysWOW64\jqiiv.cc3

Filesize
23.0MB

MD5
7b19387c3bd2b30d1c64e2a485664749

SHA1
411e45fdf928752056019f35f0cbbed59f544d9d

SHA256
53a6f2db4f8b5c07797d47621bdcd7b476c7ab4076243581f0832499075bcbce

SHA512
240c542aadc045be68ed8e01ba6cab44c6ff152c9cc96f3d313224527784f655559432ec9f69a127fcdcd6c89fa981a119a88beb51970f6e8186acf84d9487ee

Download Submit