gh0strat | 426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388

General

Target

426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe
Size

20.7MB
MD5

70e42100914145f42e4104c6e1f22ee6
SHA1

1ce2daa5a21a0379ec324e041bdfe0c903c764d1
SHA256

426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388
SHA512

44863973efca25ac059bf1e9920da11d3d653f468b324d983077b315ccab3a9629b810e70e7fcf5d456a4283054ab58faafcabc779349434852f1d9822b28bd4
SSDEEP

6144:6Lm+N50Pve6Eq8tkfSOBlWWRmGwL4QQgKKX8x7/2xWqWma2XDzHPt281+nq:6v/0O6l8tpOjWtGNgDUiWqWNKDrt2zq

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000b000000022e15-142.dat	family_gh0strat
behavioral2/files/0x000b000000022e15-143.dat	family_gh0strat
behavioral2/memory/4920-144-0x0000000000400000-0x0000000000574000-memory.dmp	family_gh0strat
behavioral2/memory/4920-145-0x0000000000400000-0x0000000000574000-memory.dmp	family_gh0strat
behavioral2/files/0x000b000000022e15-146.dat	family_gh0strat
behavioral2/files/0x000b000000022e15-148.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4920	mtsermfumo

Loads dropped DLL 3 IoCs

pid	Process
4888	svchost.exe
2232	svchost.exe
1336	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tyuxdmhehv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tjlbpnnwgi	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ticgnwuptt	svchost.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3880	4920	WerFault.exe	80
4236	4888	WerFault.exe	84
4284	2232	WerFault.exe	87
1084	1336	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4920	mtsermfumo
4920	mtsermfumo

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeRestorePrivilege	4920	mtsermfumo
Token: SeBackupPrivilege	4920	mtsermfumo
Token: SeBackupPrivilege	4920	mtsermfumo
Token: SeRestorePrivilege	4920	mtsermfumo
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeRestorePrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeSecurityPrivilege	4888	svchost.exe
Token: SeSecurityPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	4888	svchost.exe
Token: SeSecurityPrivilege	4888	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeSecurityPrivilege	2232	svchost.exe
Token: SeBackupPrivilege	1336	svchost.exe
Token: SeRestorePrivilege	1336	svchost.exe
Token: SeBackupPrivilege	1336	svchost.exe
Token: SeBackupPrivilege	1336	svchost.exe
Token: SeSecurityPrivilege	1336	svchost.exe
Token: SeSecurityPrivilege	1336	svchost.exe
Token: SeBackupPrivilege	1336	svchost.exe
Token: SeBackupPrivilege	1336	svchost.exe
Token: SeSecurityPrivilege	1336	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4920	4948	426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe	80
PID 4948 wrote to memory of 4920	4948	426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe	80
PID 4948 wrote to memory of 4920	4948	426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe	80

C:\Users\Admin\AppData\Local\Temp\426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe
"C:\Users\Admin\AppData\Local\Temp\426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- \??\c:\users\admin\appdata\local\mtsermfumo
  "C:\Users\Admin\AppData\Local\Temp\426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe" a -sc:\users\admin\appdata\local\temp\426c8ce49555ab2f91af42246e43b9ef78b85ef8733d8de043b3e1049dbc9388.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 628
    3⤵
    - Program crash
    PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4920 -ip 4920
1⤵
PID:3016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 800
  2⤵
  - Program crash
  PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4888 -ip 4888
1⤵
PID:4156

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 960
  2⤵
  - Program crash
  PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2232 -ip 2232
1⤵
PID:4032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1052
  2⤵
  - Program crash
  PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1336 -ip 1336
1⤵
PID:4912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\vjxic.cc3

Filesize
23.1MB

MD5
7711c5700b45313c53155f897670456f

SHA1
d87bbaa417633dc61c4b01e8b3efcd270feb635d

SHA256
c5961690619eb210dbe75344d817e4d16b728c392e9f4feefa84d765aa2655ee

SHA512
6d84a61bfd7ad0e00c13fc9b92af05d78ca55e1bc537d1d64f82fe1833b2d631dd9bca2d0b03537c8ab993b5a56e1cfa0dbc96fe45ebff9469795233a48f6e92

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\vjxic.cc3

Filesize
23.1MB

MD5
7711c5700b45313c53155f897670456f

SHA1
d87bbaa417633dc61c4b01e8b3efcd270feb635d

SHA256
c5961690619eb210dbe75344d817e4d16b728c392e9f4feefa84d765aa2655ee

SHA512
6d84a61bfd7ad0e00c13fc9b92af05d78ca55e1bc537d1d64f82fe1833b2d631dd9bca2d0b03537c8ab993b5a56e1cfa0dbc96fe45ebff9469795233a48f6e92

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\vjxic.cc3

Filesize
23.1MB

MD5
7711c5700b45313c53155f897670456f

SHA1
d87bbaa417633dc61c4b01e8b3efcd270feb635d

SHA256
c5961690619eb210dbe75344d817e4d16b728c392e9f4feefa84d765aa2655ee

SHA512
6d84a61bfd7ad0e00c13fc9b92af05d78ca55e1bc537d1d64f82fe1833b2d631dd9bca2d0b03537c8ab993b5a56e1cfa0dbc96fe45ebff9469795233a48f6e92

Download Submit
C:\Users\Admin\AppData\Local\mtsermfumo

Filesize
20.7MB

MD5
995d7b85367e6a09eaeb8d5ab7165cbb

SHA1
183a3752ca70ef2c901fc006f816dcf68d1db1fd

SHA256
cfa557902391053b1e4b7d74fda2f43d37009db12cf0079e16dcaa09ba271105

SHA512
58439a0aaf918fb6339179ab2a62512fd561904397a1da5da03d7013a91991e140e0fb70565dd8088634c9230827c692373dfd3e48ef357cf9c3c0a2845bffa4

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
634a40d5f492199f5ce26f0ae1dd790e

SHA1
2b7fe3c887e1ef4a0cd82d3b80a701c4d3072425

SHA256
5bca8729ef428b5cbe27ca4b0d5d5daf1a294c3ba058a1aca27fa9c4509f67a2

SHA512
f67f5314589eaaab0dee6df0ed159b628b39e98fb363990c5e7c9c4a6b135a8780c9426151c5a9672d91238093beec8b7a96c46f672530bbd60e05edb9be51ae

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
df9b1aed7d1b5ac1b79cf1b662171112

SHA1
97a3b8ba2d14f773a7afed917be39afb826341da

SHA256
2627659cfcdfe5c1c202ea05388b4b9422d3e2765e0ec07bf04b35af2a9ee834

SHA512
30a0d9a82e1f09df60520649db644879938b392d72f0f6bc83f6bfe93cf4e63db14824350fa3e534516d4a110ebe44bae14624ab0bb0a29b3e66497a5fc08d81

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\vjxic.cc3

Filesize
23.1MB

MD5
7711c5700b45313c53155f897670456f

SHA1
d87bbaa417633dc61c4b01e8b3efcd270feb635d

SHA256
c5961690619eb210dbe75344d817e4d16b728c392e9f4feefa84d765aa2655ee

SHA512
6d84a61bfd7ad0e00c13fc9b92af05d78ca55e1bc537d1d64f82fe1833b2d631dd9bca2d0b03537c8ab993b5a56e1cfa0dbc96fe45ebff9469795233a48f6e92

Download Submit
\??\c:\users\admin\appdata\local\mtsermfumo

Filesize
20.7MB

MD5
995d7b85367e6a09eaeb8d5ab7165cbb

SHA1
183a3752ca70ef2c901fc006f816dcf68d1db1fd

SHA256
cfa557902391053b1e4b7d74fda2f43d37009db12cf0079e16dcaa09ba271105

SHA512
58439a0aaf918fb6339179ab2a62512fd561904397a1da5da03d7013a91991e140e0fb70565dd8088634c9230827c692373dfd3e48ef357cf9c3c0a2845bffa4

Download Submit
memory/4920-140-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4920-144-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4920-145-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4920-139-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4948-133-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4948-138-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4948-132-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing