gh0strat | 49bf9b104775088fe07e2f26ced8367189952df95575ad244a15fc593190f775

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0afaeef479f93bdc60bb639b18f60eca.exe
Size

95KB
MD5

0afaeef479f93bdc60bb639b18f60eca
SHA1

6e3c3d58bf88f80242c720c66fb93115e138724a
SHA256

49bf9b104775088fe07e2f26ced8367189952df95575ad244a15fc593190f775
SHA512

1718225859f9ed5b92c08e9664e7fca9b08f2047bf85e9dc2e32f230318dd56f297508c93adc1cf269b5371c985994b029d74e418091cf563d5810e964ce5d06
SSDEEP

1536:KFFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9bwLFk0D6A:KLS4jHS8q/3nTzePCwNUh4E92Fk0uA

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023200-14.dat	family_gh0strat
behavioral2/files/0x0007000000023200-15.dat	family_gh0strat
behavioral2/memory/644-16-0x0000000000400000-0x000000000044E5F0-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000023200-19.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
644	ldqdxhbmsw

Executes dropped EXE 1 IoCs

pid	Process
644	ldqdxhbmsw

Loads dropped DLL 3 IoCs

pid	Process
1864	svchost.exe
3340	svchost.exe
1408	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hxvybnydgy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\hhjrjqbbtt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\hhjrjqbbtt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4780	1864	WerFault.exe	96
4032	3340	WerFault.exe	100
4512	1408	WerFault.exe	103

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
644	ldqdxhbmsw
644	ldqdxhbmsw

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	644	ldqdxhbmsw
Token: SeBackupPrivilege	644	ldqdxhbmsw
Token: SeBackupPrivilege	644	ldqdxhbmsw
Token: SeRestorePrivilege	644	ldqdxhbmsw
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeRestorePrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeSecurityPrivilege	1864	svchost.exe
Token: SeSecurityPrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeSecurityPrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeSecurityPrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeRestorePrivilege	1864	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeRestorePrivilege	3340	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeSecurityPrivilege	3340	svchost.exe
Token: SeSecurityPrivilege	3340	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeSecurityPrivilege	3340	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeSecurityPrivilege	3340	svchost.exe
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeRestorePrivilege	3340	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeRestorePrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeSecurityPrivilege	1408	svchost.exe
Token: SeBackupPrivilege	1408	svchost.exe
Token: SeRestorePrivilege	1408	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 644	4456	0afaeef479f93bdc60bb639b18f60eca.exe	91
PID 4456 wrote to memory of 644	4456	0afaeef479f93bdc60bb639b18f60eca.exe	91
PID 4456 wrote to memory of 644	4456	0afaeef479f93bdc60bb639b18f60eca.exe	91

C:\Users\Admin\AppData\Local\Temp\0afaeef479f93bdc60bb639b18f60eca.exe
"C:\Users\Admin\AppData\Local\Temp\0afaeef479f93bdc60bb639b18f60eca.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- \??\c:\users\admin\appdata\local\ldqdxhbmsw
  "C:\Users\Admin\AppData\Local\Temp\0afaeef479f93bdc60bb639b18f60eca.exe" a -sc:\users\admin\appdata\local\temp\0afaeef479f93bdc60bb639b18f60eca.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 776
  2⤵
  - Program crash
  PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1864 -ip 1864
1⤵
PID:4416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 944
  2⤵
  - Program crash
  PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3340 -ip 3340
1⤵
PID:5064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 948
  2⤵
  - Program crash
  PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1408 -ip 1408
1⤵
PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\fpdkq.cc3

Filesize
1.4MB

MD5
c0abf1470c8b39d710fc1d950e53db56

SHA1
e0de3ff7e8bc4d0d49b83876880247e417840d66

SHA256
0af39471bf190808cdbe7ec4824d9018d888f417b98282ef4c0852630adea84f

SHA512
f2116bb85bce1815cd6cbe61a0a1ee4312e2ba77d0f738da679436e2b0607e786919d31faa5a87d28bcf03c5047b2be8446cd2212e422f057d025ccd5ade851d

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\fpdkq.cc3

Filesize
92KB

MD5
efa2b4b135a3e54b71caa41e42a2cb11

SHA1
afd1c75ba362a468dffa53e076574e9c7b8b641f

SHA256
5f53e55dc05baad6a5ebd84b92aa53bde495093b410635dc6228df318bfc05ec

SHA512
6d42518ba2eed656a7ccd1d1867a58b36a3e45647d9d7842f0a89843ad4a10c9ff28037d8cc02e0abedf9d459bda9e8d44f9ca8add1e506a60c9b262983f2f28

Download Submit
C:\Users\Admin\AppData\Local\ldqdxhbmsw

Filesize
2.8MB

MD5
0b46c9613aad9e42c03e9729ef473f7d

SHA1
d6b6ef89b49aec504b6547918dd7953df96229ef

SHA256
e32a48749b4f9c0c8d0da6de1cec138f6bdc5f54c64f9ca8b3a6c0ccbd20df49

SHA512
1051005a6e42190a27628d2af17e59d24dce1850a85874386dab24a40b6c1a4e7398d6202595ccf5fa5197c42d9dd9cd6433bb0466c048d932d5022da6a396cf

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\fpdkq.cc3

Filesize
1.4MB

MD5
15ed0d35eadb752b834877f5ec350b24

SHA1
330c7e205e9f940303c187ae2656bda94529970c

SHA256
d7757f627b66ada726521faffb71cee260a54f49a1a2c8f5bc7e250d55c6c0b8

SHA512
72370be5ea461e986b1695d118d7b79e9cc334ef10cda4461065c3ec14f2a146f4a5eebc9b8bc22c12dbf817091a660ae66c85f4efcdbf5eef03249812bae072

Download Submit
\??\c:\users\admin\appdata\local\ldqdxhbmsw

Filesize
1.8MB

MD5
99b570115f9df8b3955090731a5ffb23

SHA1
8902591f0ae347c679b3aa1fae0e19de42080a71

SHA256
2940a80efc073b4a6e478d88a0f596978deb26b908b8feef0aa4ee7f00c77fc3

SHA512
7652ba2628804d76f9d051f55b4ef6704839cc6ef6280717c1a5c0386dca886f571fe8f4f0605fcdc08485f4031022c05730d96da32a847600c7c469ddc36251

Download Submit
memory/644-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/644-10-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/644-16-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/1408-24-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1864-17-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/3340-20-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/4456-0-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/4456-9-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/4456-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download