gh0strat | 02d06fdca8fb779ebc10df2d2aab7e56cd6c512ee743ac29c463cbeb084d620c

Analysis

max time kernel
1s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 13:15

Target

20f9afa820f1c7020273ad4e3ae2dd09.exe
Size

204KB
MD5

20f9afa820f1c7020273ad4e3ae2dd09
SHA1

05ed7a52956a171588b09108476274433af5646f
SHA256

02d06fdca8fb779ebc10df2d2aab7e56cd6c512ee743ac29c463cbeb084d620c
SHA512

144fe021d16b2f5676d0a841c4474baf2aef78b978ad32d7deb0af51ab51a561e3a44db1371b6f43268d94db9af4ad78b56c7bb96ed76821b9f2757fa25b7c4f
SSDEEP

3072:frBaHAhAtPf6BWHWVXhqPEzO/V1VrNYQkCA+HFSWvF3TBftEnob2RI:DuAh/WHv9DNYtEHhvF3TBlEnob/

Score

10^/10

gh0strat rat

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000300000001f45f-3.dat	family_gh0strat
behavioral2/files/0x000300000001f45f-4.dat	family_gh0strat
behavioral2/files/0x000e000000023123-10.dat	family_gh0strat
behavioral2/memory/888-19-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/888-23-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
888	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\alg.exe	svchost.exe
File opened for modification	C:\windows\alg.exe	svchost.exe
File created	C:\Windows\Sys.VBS	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1184	888	WerFault.exe	30

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 888	1440	20f9afa820f1c7020273ad4e3ae2dd09.exe	30
PID 1440 wrote to memory of 888	1440	20f9afa820f1c7020273ad4e3ae2dd09.exe	30
PID 1440 wrote to memory of 888	1440	20f9afa820f1c7020273ad4e3ae2dd09.exe	30
PID 888 wrote to memory of 4492	888	Process not Found	45
PID 888 wrote to memory of 4492	888	Process not Found	45
PID 888 wrote to memory of 4492	888	Process not Found	45

C:\Users\Admin\AppData\Local\Temp\20f9afa820f1c7020273ad4e3ae2dd09.exe
"C:\Users\Admin\AppData\Local\Temp\20f9afa820f1c7020273ad4e3ae2dd09.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:888
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Sys.VBS"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1404
    3⤵
    - Program crash
    PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 888 -ip 888
1⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
385KB

MD5
4e0b7cf643c356f283dc7f38d64f97ad

SHA1
c050001972f1bc31aa06452e2c8fcf1567f15e11

SHA256
b95f0da3c53473692dc1c1d11d0e48f428dfb905667980590b4eff36525f6c72

SHA512
2d84e027b21a088015804e7067e9b86b23a52bd78451724a66eb33bc29ff1d30a47b676080d5e209c8a3cb1ea768184a2f44a566999e989f7c0d2c33ac45e4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
93KB

MD5
86c9aeda298f54094d91ae47c57ea57b

SHA1
08d77dc5a6ce1a79a3220db0024e2e1bcaf59658

SHA256
334b2a86e0850eee4579e943e77ca9f5bf9a68ef6849de91698843fd5af898a6

SHA512
f5fa6b72eb38bcbc687b283df849b797dafbf689786773957e893dc8d4d67b10b1afe707bd93b8ab4c1c9c57fae81499ac3ec9f3fd3f3e7196c5ab391f6614d2

Download Submit
C:\Windows\Sys.VBS

Filesize
1KB

MD5
e5baac34de9a9068a0c901392f21efe5

SHA1
77f9cb2be96bfbf4e0eefb27b759faeb13b50b29

SHA256
7fa5d6fb181d48105524c2836db0671faf8454d7236a74b434075ce64b52a7a9

SHA512
dac036e3136abdb14c799b52f91ccfa39699943b980276d563072d63a5bbd5fdf975cdce04f1df832d8a19735231a7ed9a52eddff2b6f2cc47b4b8a1aa62f374

Download Submit
memory/888-19-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/888-21-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/888-23-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download