gh0strat | 438e44aae94e8376d2e36e23212920e936b7517bca24eaf66e9d7d014e21552c

Analysis

max time kernel
75s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bjyk.exe
Size

377KB
MD5

ca7c977b5b315dd62b0189f2619764db
SHA1

42ce52b22e5017990660148ba6c5ff0097c5af01
SHA256

c6d90ced12fb16ca9ae112787ce6d29379b06e0ba0a90595e337c07453a571fa
SHA512

b7be48e4c7ca12e0059a6b0064eaa8e8c1f4bbd7ed62c2a34671a5875ba25715b45b780d54e58f5429b2cade56244f6a820a46c0a45b0f7e9d4567213a499427
SSDEEP

6144:xsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90Q1vPjrVCTH3mwVaYo7/8FaA/:OtWUzJq8YPbncT3+vXPjc3xVaYo7UFyO

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral23/memory/840-133-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
C:\Users\Admin\AppData\Local\dtjxyjfndi	family_gh0strat
\??\c:\users\admin\appdata\local\dtjxyjfndi	family_gh0strat
behavioral23/memory/840-148-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral23/memory/1320-155-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
\??\c:\programdata\drm\%sessionname%\kmhwp.cc3	family_gh0strat
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3	family_gh0strat
behavioral23/memory/1320-162-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3	family_gh0strat
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\eni862C.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\eni862C.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp	acprotect

Executes dropped EXE 1 IoCs

Processes:

dtjxyjfndi

pid process

1320 dtjxyjfndi
Loads dropped DLL 7 IoCs

Processes:

bjyk.exedtjxyjfndisvchost.exesvchost.exesvchost.exe

pid process

840 bjyk.exe
840 bjyk.exe
1320 dtjxyjfndi
1320 dtjxyjfndi
3904 svchost.exe
3376 svchost.exe
4640 svchost.exe

pid	process
1320	dtjxyjfndi

pid	process
840	bjyk.exe
840	bjyk.exe
1320	dtjxyjfndi
1320	dtjxyjfndi
3904	svchost.exe
3376	svchost.exe
4640	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mcfbfsshhl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mcvgdcabuw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mbmlclhthi	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4724 3904 WerFault.exe svchost.exe
4176 3376 WerFault.exe svchost.exe
2152 4640 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dtjxyjfndi

pid process

1320 dtjxyjfndi
1320 dtjxyjfndi

pid	pid_target	process	target process
4724	3904	WerFault.exe	svchost.exe
4176	3376	WerFault.exe	svchost.exe
2152	4640	WerFault.exe	svchost.exe

pid	process
1320	dtjxyjfndi
1320	dtjxyjfndi

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

dtjxyjfndisvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	1320	dtjxyjfndi
Token: SeBackupPrivilege	1320	dtjxyjfndi
Token: SeBackupPrivilege	1320	dtjxyjfndi
Token: SeRestorePrivilege	1320	dtjxyjfndi
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeRestorePrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeSecurityPrivilege	3904	svchost.exe
Token: SeSecurityPrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeSecurityPrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeSecurityPrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3904	svchost.exe
Token: SeRestorePrivilege	3904	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeRestorePrivilege	3376	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeSecurityPrivilege	3376	svchost.exe
Token: SeSecurityPrivilege	3376	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeSecurityPrivilege	3376	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeSecurityPrivilege	3376	svchost.exe
Token: SeBackupPrivilege	3376	svchost.exe
Token: SeRestorePrivilege	3376	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeRestorePrivilege	4640	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeSecurityPrivilege	4640	svchost.exe
Token: SeSecurityPrivilege	4640	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeSecurityPrivilege	4640	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeSecurityPrivilege	4640	svchost.exe
Token: SeBackupPrivilege	4640	svchost.exe
Token: SeRestorePrivilege	4640	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bjyk.exedtjxyjfndi

pid process

840 bjyk.exe
1320 dtjxyjfndi

pid	process
840	bjyk.exe
1320	dtjxyjfndi

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bjyk.exe

description	pid	process	target process
PID 840 wrote to memory of 1320	840	bjyk.exe	dtjxyjfndi
PID 840 wrote to memory of 1320	840	bjyk.exe	dtjxyjfndi
PID 840 wrote to memory of 1320	840	bjyk.exe	dtjxyjfndi

C:\Users\Admin\AppData\Local\Temp\bjyk.exe
"C:\Users\Admin\AppData\Local\Temp\bjyk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840

\??\c:\users\admin\appdata\local\dtjxyjfndi
"C:\Users\Admin\AppData\Local\Temp\bjyk.exe" a -sc:\users\admin\appdata\local\temp\bjyk.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 872
2⤵
- Program crash
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3904 -ip 3904
1⤵
PID:2320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1112
2⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3376 -ip 3376
1⤵
PID:4404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 864
2⤵
- Program crash
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4640 -ip 4640
1⤵
PID:2548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3
Filesize
20.0MB

MD5
1eb51fd593858bbdfb872ec9214f9d6e

SHA1
1627ead1a8046e6d9c32db473aefb82a5531b303

SHA256
359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308

SHA512
d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3
Filesize
20.0MB

MD5
1eb51fd593858bbdfb872ec9214f9d6e

SHA1
1627ead1a8046e6d9c32db473aefb82a5531b303

SHA256
359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308

SHA512
d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3
Filesize
20.0MB

MD5
1eb51fd593858bbdfb872ec9214f9d6e

SHA1
1627ead1a8046e6d9c32db473aefb82a5531b303

SHA256
359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308

SHA512
d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586

Download Submit
C:\Users\Admin\AppData\Local\Temp\eni862C.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eni862C.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\dtjxyjfndi
Filesize
19.2MB

MD5
b49686beda51cec1fa9f478a0e59c79c

SHA1
6d06b15bb5f6b3d76000579e1480360b40b7bdd3

SHA256
8fb5247cb386c5bf568dc10509134df4124685f0044b95e0848d8b93a045afae

SHA512
0e27fa01c6cc8fc3c2fcc4415c116d120c371fb46a4d68d89d934898b196ba5da0307f521dc6adb7d62a8edc05883143c2ba56219d4f0a7ded366239ad57160f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
202B

MD5
f3828e6ab553070f5ca2fc56126ad3c1

SHA1
90bf7710a124cfda7e703117ae1442b47a06dd3d

SHA256
c7bd803686f96bef9124cf25bc43cec23b801c73a4ebe3bd26c4974a221a52d5

SHA512
92d4c87febeffdad57692973c079bb6cfaa0c668eb5fe4ac871016cb370a3792df691e8dc286226c1f987bd88c3395bfa435a7c2baea1653a5b72bdbe06dea12

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
303B

MD5
a6c80544129e79edacf3610d038c53d0

SHA1
82eeac2483bbca877d71dcd473c874eff3b0cbef

SHA256
57860b71e749450b756f1adf18abb5f5f52285d250da42834a70d24571a47a26

SHA512
4df3256397cfc08506645f1b5308c08c254a162e2f904642694947293505b84b3b799a2f24927172eed5e6ce639d2c9868fdea316e1dab94050bcfdf133c9135

Download Submit
\??\c:\programdata\drm\%sessionname%\kmhwp.cc3
Filesize
20.0MB

MD5
1eb51fd593858bbdfb872ec9214f9d6e

SHA1
1627ead1a8046e6d9c32db473aefb82a5531b303

SHA256
359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308

SHA512
d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586

Download Submit
\??\c:\users\admin\appdata\local\dtjxyjfndi
Filesize
19.2MB

MD5
b49686beda51cec1fa9f478a0e59c79c

SHA1
6d06b15bb5f6b3d76000579e1480360b40b7bdd3

SHA256
8fb5247cb386c5bf568dc10509134df4124685f0044b95e0848d8b93a045afae

SHA512
0e27fa01c6cc8fc3c2fcc4415c116d120c371fb46a4d68d89d934898b196ba5da0307f521dc6adb7d62a8edc05883143c2ba56219d4f0a7ded366239ad57160f

Download Submit
memory/840-148-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/840-133-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/840-146-0x0000000000590000-0x0000000000603000-memory.dmp

Filesize
460KB

Download
memory/840-140-0x0000000000590000-0x0000000000603000-memory.dmp

Filesize
460KB

Download
memory/1320-155-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1320-162-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1320-161-0x0000000001F90000-0x0000000002003000-memory.dmp

Filesize
460KB

Download
memory/1320-160-0x0000000001F90000-0x0000000002003000-memory.dmp

Filesize
460KB

Download
memory/1320-154-0x0000000001F90000-0x0000000002003000-memory.dmp

Filesize
460KB

Download
memory/3376-166-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3904-163-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/4640-170-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download