gh0strat | 3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe
Size

134KB
MD5

9600202e9919aa76d669a8a5115dfeb8
SHA1

9bd82a367d94ccf349338f4ae4a266ff600785f0
SHA256

3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b
SHA512

17905a5ade7a056287a56086411faac570f20721ef56e0d56dafbbba2f478e3e49d1b4e6228d3d62231e7c8f7a58ffa1591b36d67439de2b3430bf4354eed93f
SSDEEP

3072:bUD9JxpzoSIP9tKXYPgqtA8+FnH07e9R23RnvU:bUD9JxpzozP6vq+80nU7zR

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3592-6-0x0000000010000000-0x0000000010029000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
3592	RUNDLL32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
444	3592	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2588	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3592	2276	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	81
PID 2276 wrote to memory of 3592	2276	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	81
PID 2276 wrote to memory of 3592	2276	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	81

C:\Users\Admin\AppData\Local\Temp\3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe
"C:\Users\Admin\AppData\Local\Temp\3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32 "C:\Windows\Temp\yydsamingfack.fff" main
  2⤵
  - Loads dropped DLL
  PID:3592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 596
    3⤵
    - Program crash
    PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3592 -ip 3592
1⤵
PID:4404

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\yydsamingfack.fff

Filesize
80KB

MD5
cf6eb41c42d173427b7305b21ba4e655

SHA1
1ad2586df0b1a5d0d3c1cf7b0a463236e4ea8e1d

SHA256
1d297ec4b48c513a2632d8395c3df476a914c1e2732e8b830731493481ba0054

SHA512
2d7b2b64c056855202ab52ca3bb7301787659cd3131b7793c7c02a246d257e01dfdc15573bc3732b383778ad01ab65cfaeb05b9a8e7bc547dd7c8de7529a71ab

Download Submit
C:\Windows\Temp\yydsamingfack.fff

Filesize
80KB

MD5
cf6eb41c42d173427b7305b21ba4e655

SHA1
1ad2586df0b1a5d0d3c1cf7b0a463236e4ea8e1d

SHA256
1d297ec4b48c513a2632d8395c3df476a914c1e2732e8b830731493481ba0054

SHA512
2d7b2b64c056855202ab52ca3bb7301787659cd3131b7793c7c02a246d257e01dfdc15573bc3732b383778ad01ab65cfaeb05b9a8e7bc547dd7c8de7529a71ab

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2276-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2588-45-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-46-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-7-0x0000022FCF070000-0x0000022FCF080000-memory.dmp

Filesize
64KB

Download
memory/2588-23-0x0000022FCF170000-0x0000022FCF180000-memory.dmp

Filesize
64KB

Download
memory/2588-39-0x0000022FD7760000-0x0000022FD7761000-memory.dmp

Filesize
4KB

Download
memory/2588-40-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-41-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-42-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-43-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-44-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-75-0x0000022FD7600000-0x0000022FD7601000-memory.dmp

Filesize
4KB

Download
memory/2588-74-0x0000022FD74F0000-0x0000022FD74F1000-memory.dmp

Filesize
4KB

Download
memory/2588-47-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-48-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-49-0x0000022FD7790000-0x0000022FD7791000-memory.dmp

Filesize
4KB

Download
memory/2588-50-0x0000022FD73B0000-0x0000022FD73B1000-memory.dmp

Filesize
4KB

Download
memory/2588-51-0x0000022FD73A0000-0x0000022FD73A1000-memory.dmp

Filesize
4KB

Download
memory/2588-53-0x0000022FD73B0000-0x0000022FD73B1000-memory.dmp

Filesize
4KB

Download
memory/2588-56-0x0000022FD73A0000-0x0000022FD73A1000-memory.dmp

Filesize
4KB

Download
memory/2588-59-0x0000022FD72E0000-0x0000022FD72E1000-memory.dmp

Filesize
4KB

Download
memory/2588-71-0x0000022FD74E0000-0x0000022FD74E1000-memory.dmp

Filesize
4KB

Download
memory/2588-73-0x0000022FD74F0000-0x0000022FD74F1000-memory.dmp

Filesize
4KB

Download
memory/3592-6-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download
memory/3592-5-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads