gh0strat | 99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc

Analysis

max time kernel
151s
max time network
69s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc.dll
Size

932KB
MD5

613c1b13ccc2e6f798c54c1acf053880
SHA1

5535fb1b8f77b4bb9dd19aeb99f8ca78dca67bc0
SHA256

99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc
SHA512

92a38c2cd4773b737266c31742dd42e32cd086f0652767cdac4ed562faa26e9fcff8d8cb3426a37cc3b5d6d7dee76b9fec10b592c9d1518f7ad340b77ac47d7e
SSDEEP

12288:nmv2qPjNvAUUGu7vNOjwQCEGnSe/QdF/nDAuWkgUrNgnvvP9bcMrhtMmyKz2J8fP:nmvvjNFqg8x/Qd5JgUSnHx31ahKz2a

Score

10^/10

gh0strat rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral1/memory/1756-56-0x0000000010000000-0x000000001025A000-memory.dmp	family_gh0strat
behavioral1/files/0x000c0000000054a8-58.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-60.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-61.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-63.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-64.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-65.dat	family_gh0strat
behavioral1/memory/1756-66-0x0000000010000000-0x000000001025A000-memory.dmp	family_gh0strat
behavioral1/files/0x000a00000001313e-68.dat	family_gh0strat
behavioral1/files/0x000b0000000133e5-69.dat	family_gh0strat
behavioral1/files/0x000b0000000133e5-70.dat	family_gh0strat
behavioral1/memory/1756-72-0x0000000010000000-0x000000001025A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1316	360DL1.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1756-56-0x0000000010000000-0x000000001025A000-memory.dmp	vmprotect
behavioral1/memory/1756-66-0x0000000010000000-0x000000001025A000-memory.dmp	vmprotect
behavioral1/memory/1756-72-0x0000000010000000-0x000000001025A000-memory.dmp	vmprotect

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe	rundll32.exe

Loads dropped DLL 6 IoCs

pid	Process
1756	rundll32.exe
1316	360DL1.exe
1316	360DL1.exe
1316	360DL1.exe
1316	360DL1.exe
2032	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	360DL1.exe
File created	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	360DL1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
988	1756	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1316	360DL1.exe
Token: SeRestorePrivilege	1316	360DL1.exe
Token: SeBackupPrivilege	1316	360DL1.exe
Token: SeRestorePrivilege	1316	360DL1.exe
Token: SeBackupPrivilege	1316	360DL1.exe
Token: SeRestorePrivilege	1316	360DL1.exe
Token: SeBackupPrivilege	1316	360DL1.exe
Token: SeRestorePrivilege	1316	360DL1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1756	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1756	1556	rundll32.exe	27
PID 1556 wrote to memory of 1756	1556	rundll32.exe	27
PID 1556 wrote to memory of 1756	1556	rundll32.exe	27
PID 1556 wrote to memory of 1756	1556	rundll32.exe	27
PID 1556 wrote to memory of 1756	1556	rundll32.exe	27
PID 1556 wrote to memory of 1756	1556	rundll32.exe	27
PID 1556 wrote to memory of 1756	1556	rundll32.exe	27
PID 1756 wrote to memory of 1316	1756	rundll32.exe	28
PID 1756 wrote to memory of 1316	1756	rundll32.exe	28
PID 1756 wrote to memory of 1316	1756	rundll32.exe	28
PID 1756 wrote to memory of 1316	1756	rundll32.exe	28
PID 1756 wrote to memory of 1316	1756	rundll32.exe	28
PID 1756 wrote to memory of 1316	1756	rundll32.exe	28
PID 1756 wrote to memory of 1316	1756	rundll32.exe	28
PID 1756 wrote to memory of 988	1756	rundll32.exe	29
PID 1756 wrote to memory of 988	1756	rundll32.exe	29
PID 1756 wrote to memory of 988	1756	rundll32.exe	29
PID 1756 wrote to memory of 988	1756	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\99069ca7ac4c2ec68a1d8cb9527e0d435323c915ade1b3d1bb6cc89a6c5709dc.dll,#1
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\360DL1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 320
    3⤵
    - Program crash
    PID:988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe

Filesize
114KB

MD5
ae9006a7c112f2149bdbba71b45b0327

SHA1
263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba

SHA256
c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102

SHA512
68b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe

Filesize
114KB

MD5
ae9006a7c112f2149bdbba71b45b0327

SHA1
263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba

SHA256
c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102

SHA512
68b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd

Download Submit
\??\c:\program files (x86)\xtuv\dtuvwxyab.jpg

Filesize
14.2MB

MD5
defbf993cf30953fcc3b0681596b97ba

SHA1
c3eafcef75683b4e84b8a39703ea5942c41c37ee

SHA256
4117b886fdba213372e34ea0984d8fca6ff2a8c53c4fc51fd0562f10101d09b2

SHA512
d81ccaf1d1c30f917c5e64fbc5a4f01e2aca505d3707d30f37a446aff0ba7bf0b6824427c087e3659cfeff620cc062e027db02fc9ca6012af5c2e7f043a8ff59

Download Submit
\Program Files (x86)\Xtuv\Dtuvwxyab.jpg

Filesize
14.2MB

MD5
defbf993cf30953fcc3b0681596b97ba

SHA1
c3eafcef75683b4e84b8a39703ea5942c41c37ee

SHA256
4117b886fdba213372e34ea0984d8fca6ff2a8c53c4fc51fd0562f10101d09b2

SHA512
d81ccaf1d1c30f917c5e64fbc5a4f01e2aca505d3707d30f37a446aff0ba7bf0b6824427c087e3659cfeff620cc062e027db02fc9ca6012af5c2e7f043a8ff59

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe

Filesize
114KB

MD5
ae9006a7c112f2149bdbba71b45b0327

SHA1
263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba

SHA256
c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102

SHA512
68b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe

Filesize
114KB

MD5
ae9006a7c112f2149bdbba71b45b0327

SHA1
263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba

SHA256
c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102

SHA512
68b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe

Filesize
114KB

MD5
ae9006a7c112f2149bdbba71b45b0327

SHA1
263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba

SHA256
c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102

SHA512
68b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360DL1.exe

Filesize
114KB

MD5
ae9006a7c112f2149bdbba71b45b0327

SHA1
263deb8d3dfab40dbe0eabae3dbc3fcdeb15c4ba

SHA256
c362b3dd13c79c2a332f10ff35a512b6045f23f6bf6a4f98c550db17b341a102

SHA512
68b1c396508fbeb3ceb4febc3b5e543641814c61770c5f14254960829ee1071a4ca319aa64a91728c8e632a60e2ab72ba00e51809670889aea5d75ad02cbc8cd

Download Submit
\Users\temp2.gif

Filesize
106KB

MD5
d3db8e3614f714ea0a01f0afeb4d6992

SHA1
277d3dfcaa9387700fec70ffc390e0f402aa17ee

SHA256
901d8b8ccbe592f507bf4c6130841fb863e7a189a504f1e8ca69b508dc78ba1f

SHA512
6b9f991a7d58c11b271e194abec927b728c5a6906441547b050b120bde9399459e5dacca0b3c29b1bf838920595f17eac59a3f369d3d1eac3599c78fe3712156

Download Submit
memory/1756-66-0x0000000010000000-0x000000001025A000-memory.dmp

Filesize
2.4MB

Download
memory/1756-56-0x0000000010000000-0x000000001025A000-memory.dmp

Filesize
2.4MB

Download
memory/1756-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1756-72-0x0000000010000000-0x000000001025A000-memory.dmp

Filesize
2.4MB

Download