gh0strat | 939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe
Size

216KB
MD5

71f769fb0a11fe45af4966b714696c6d
SHA1

6d2380617a51ab2a2ee34698f78a76768c698588
SHA256

939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc
SHA512

127bab77fccbeea8dc8fe3d22dcd69cfc999d1e99b6f32a21e36d55f5fa80474ce35846fd6d66c83184a9ea689b97ef3643b5b9c8b67ad2bfe5a84b2111d36c1
SSDEEP

6144:m4GYmetP9k3Odlsd/7oMuAgxpoqg6ue2Z7C3R:B7vBEDd/01AgoCuesC

Score

10^/10

gh0strat persistence rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023161-134.dat	family_gh0strat
behavioral2/files/0x0007000000023161-135.dat	family_gh0strat
behavioral2/files/0x0006000000023162-136.dat	family_gh0strat
behavioral2/files/0x000b00000002316c-137.dat	family_gh0strat
behavioral2/files/0x000b00000002316c-139.dat	family_gh0strat
behavioral2/files/0x0006000000023162-141.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
3328	JBCDEF~1.EXE

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/408-132-0x0000000001000000-0x0000000001066000-memory.dmp	vmprotect
behavioral2/memory/408-138-0x0000000001000000-0x0000000001066000-memory.dmp	vmprotect

Loads dropped DLL 2 IoCs

pid	Process
3328	JBCDEF~1.EXE
4316	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	JBCDEF~1.EXE
File opened for modification	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	JBCDEF~1.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3328	JBCDEF~1.EXE
Token: SeRestorePrivilege	3328	JBCDEF~1.EXE
Token: SeBackupPrivilege	3328	JBCDEF~1.EXE
Token: SeRestorePrivilege	3328	JBCDEF~1.EXE
Token: SeBackupPrivilege	3328	JBCDEF~1.EXE
Token: SeRestorePrivilege	3328	JBCDEF~1.EXE
Token: SeBackupPrivilege	3328	JBCDEF~1.EXE
Token: SeRestorePrivilege	3328	JBCDEF~1.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3328	408	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	84
PID 408 wrote to memory of 3328	408	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	84
PID 408 wrote to memory of 3328	408	939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe	84

C:\Users\Admin\AppData\Local\Temp\939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe
"C:\Users\Admin\AppData\Local\Temp\939bc993409d0a994dfb3562a09bddeebe3080988b8cc0f7bc523e7e40beccdc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1418300.dll

Filesize
131KB

MD5
2e41af70765980c49ed94501f7a224f7

SHA1
7eb9a0bf02ef9fe0a644050e0ff17fddf4aae1fd

SHA256
2191394ad6fcc85944da24cdf6db04ac05100d3d3f7f7f793c0aee1e59085df3

SHA512
d2133319a52bab51b611c5143d86d3732885eb437e8c3de0cda9dd7d8b2c89bbf5248ea9318bcc110425ebe662d639d487549928f030a7851b0f5b83119ac63f

Download Submit
C:\1418300.dll

Filesize
131KB

MD5
2e41af70765980c49ed94501f7a224f7

SHA1
7eb9a0bf02ef9fe0a644050e0ff17fddf4aae1fd

SHA256
2191394ad6fcc85944da24cdf6db04ac05100d3d3f7f7f793c0aee1e59085df3

SHA512
d2133319a52bab51b611c5143d86d3732885eb437e8c3de0cda9dd7d8b2c89bbf5248ea9318bcc110425ebe662d639d487549928f030a7851b0f5b83119ac63f

Download Submit
C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg

Filesize
996KB

MD5
889a9230aabd88a763842be66287742f

SHA1
fdcacacbdfcb86802b1b00e58af852af10f34674

SHA256
3e520782e9624d4427345faee3333f9e6a318c7a66afc56c04fc61b3fe0a0518

SHA512
a6ff344f6171810d142c71665f8e94d5b236f1594dd4505f6afa5e47c079e3e61aed1e9b78ac79dd35b7bf55ded7456b16126e0731642229821c2f6e82156e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JBCDEF~1.EXE

Filesize
139KB

MD5
e880877e7254770d611687ef90689a40

SHA1
ed77772bfb73e09c15ed5bb793b449e0a989e99b

SHA256
ae0ca3d2762164efc77b030fbc3aa5c6fc2617515715b5110e1f63a0151efd21

SHA512
ef36b9f4cb9eca9fc61b4994d66201648afeffd0d5418fdd592e9f9bad7b6dad8f1fa15ae444fb4c63cdd147cac96a2a17288c83f531841fde22a3785f0725f8

Download Submit
\??\c:\NT_Path.jpg

Filesize
72B

MD5
457a1a78ba85b8bc492de4937f31c2df

SHA1
ea97e1d502a4dca5d2ed7c9b6cfe3d925bd0f720

SHA256
79c1c5a3fb0fa7d868eead79d1fae432bbc99b19a98a6c7ef5fbd224bef5bd97

SHA512
4a2f7c0562c0f2cd20332d2ca154d3611bdea4c8b73342be661c061e722d62e8575a6751f7f0905bfba7d897d019bc25a01a4315e84030d2f1e544d2e2ad8ef8

Download Submit
\??\c:\program files (x86)\xtuv\dtuvwxyab.jpg

Filesize
996KB

MD5
889a9230aabd88a763842be66287742f

SHA1
fdcacacbdfcb86802b1b00e58af852af10f34674

SHA256
3e520782e9624d4427345faee3333f9e6a318c7a66afc56c04fc61b3fe0a0518

SHA512
a6ff344f6171810d142c71665f8e94d5b236f1594dd4505f6afa5e47c079e3e61aed1e9b78ac79dd35b7bf55ded7456b16126e0731642229821c2f6e82156e4c

Download Submit
memory/408-132-0x0000000001000000-0x0000000001066000-memory.dmp

Filesize
408KB

Download
memory/408-138-0x0000000001000000-0x0000000001066000-memory.dmp

Filesize
408KB

Download
memory/3328-133-0x0000000000000000-mapping.dmp

Download