gh0strat | 939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe
Size

216KB
MD5

71f769fb0a11fe45af4966b714696c6d
SHA1

6d2380617a51ab2a2ee34698f78a76768c698588
SHA256

939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc
SHA512

127bab77fccbeea8dc8fe3d22dcd69cfc999d1e99b6f32a21e36d55f5fa80474ce35846fd6d66c83184a9ea689b97ef3643b5b9c8b67ad2bfe5a84b2111d36c1
SSDEEP

6144:m4GYmetP9k3Odlsd/7oMuAgxpoqg6ue2Z7C3R:B7vBEDd/01AgoCuesC

Score

10^/10

gh0strat persistence rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001231c-54.dat	family_gh0strat
behavioral1/files/0x000c00000001231c-56.dat	family_gh0strat
behavioral1/files/0x000c00000001231c-57.dat	family_gh0strat
behavioral1/files/0x000c00000001231c-59.dat	family_gh0strat
behavioral1/files/0x000c00000001231c-61.dat	family_gh0strat
behavioral1/files/0x000c00000001231c-60.dat	family_gh0strat
behavioral1/files/0x000b000000012721-63.dat	family_gh0strat
behavioral1/files/0x000b000000012721-65.dat	family_gh0strat
behavioral1/files/0x00080000000126c8-68.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1252	JBCDEF~1.EXE

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1760-62-0x0000000001000000-0x0000000001066000-memory.dmp	vmprotect
behavioral1/memory/1760-64-0x0000000001000000-0x0000000001066000-memory.dmp	vmprotect

Loads dropped DLL 5 IoCs

pid	Process
1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe
1252	JBCDEF~1.EXE
1252	JBCDEF~1.EXE
1252	JBCDEF~1.EXE
968	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	JBCDEF~1.EXE
File created	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	JBCDEF~1.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe
968	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1252	JBCDEF~1.EXE
Token: SeRestorePrivilege	1252	JBCDEF~1.EXE
Token: SeBackupPrivilege	1252	JBCDEF~1.EXE
Token: SeRestorePrivilege	1252	JBCDEF~1.EXE
Token: SeBackupPrivilege	1252	JBCDEF~1.EXE
Token: SeRestorePrivilege	1252	JBCDEF~1.EXE
Token: SeBackupPrivilege	1252	JBCDEF~1.EXE
Token: SeRestorePrivilege	1252	JBCDEF~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1252	1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	27
PID 1760 wrote to memory of 1252	1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	27
PID 1760 wrote to memory of 1252	1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	27
PID 1760 wrote to memory of 1252	1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	27
PID 1760 wrote to memory of 1252	1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	27
PID 1760 wrote to memory of 1252	1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	27
PID 1760 wrote to memory of 1252	1760	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	27

C:\Users\Admin\AppData\Local\Temp\939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe
"C:\Users\Admin\AppData\Local\Temp\939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2453900.dll

Filesize
131KB

MD5
2e41af70765980c49ed94501f7a224f7

SHA1
7eb9a0bf02ef9fe0a644050e0ff17fddf4aae1fd

SHA256
2191394ad6fcc85944da24cdf6db04ac05100d3d3f7f7f793c0aee1e59085df3

SHA512
d2133319a52bab51b611c5143d86d3732885eb437e8c3de0cda9dd7d8b2c89bbf5248ea9318bcc110425ebe662d639d487549928f030a7851b0f5b83119ac63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
\??\c:\NT_Path.jpg

Filesize
72B

MD5
462b65c67ef78bb9e714c703dc97f2ca

SHA1
86321457b41f7ea1d417810c900d439f3e920841

SHA256
6c93d042834c290ed8c38dc3eba55904b57dc29aabe980345bf6a7eece966723

SHA512
ea5536b34c9d8fe2dbb59fff50f10a54c859e92b78948efb6ac71fea322afe66fdbd46c4c5d91b3b5923f2fb186b7c415f8de4d25ce3f2660ebaf8ae62780895

Download Submit
\??\c:\program files (x86)\xtuv\dtuvwxyab.jpg

Filesize
15.0MB

MD5
9ae76a7626dbbab9e12bfa9785e3f18a

SHA1
bb33fd643dd5ec02d544d798951d02cc6f3a4d24

SHA256
e8619b4414bdbdf785b9487477c06a564f411a13f5c7e16097ab9ccbb4286cdb

SHA512
936d09090e03b8d36cb2b333401a7e578121d9e693201fc0ebf8ed17aceb5366d59d4939887a546c2978d347f2df19ac7c5d5416bdb47b5128d2fc6796f179e0

Download Submit
\Program Files (x86)\Xtuv\Dtuvwxyab.jpg

Filesize
15.0MB

MD5
9ae76a7626dbbab9e12bfa9785e3f18a

SHA1
bb33fd643dd5ec02d544d798951d02cc6f3a4d24

SHA256
e8619b4414bdbdf785b9487477c06a564f411a13f5c7e16097ab9ccbb4286cdb

SHA512
936d09090e03b8d36cb2b333401a7e578121d9e693201fc0ebf8ed17aceb5366d59d4939887a546c2978d347f2df19ac7c5d5416bdb47b5128d2fc6796f179e0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
memory/1252-58-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1760-62-0x0000000001000000-0x0000000001066000-memory.dmp

Filesize
408KB

Download
memory/1760-64-0x0000000001000000-0x0000000001066000-memory.dmp

Filesize
408KB

Download