gh0strat | 26cf8c53b438bd1329b6b45f9b6fb146458c889a4e5dbcd88e4cf393c4676cee

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bfaf13f199eea66483a44878dd5a646.exe
Size

96KB
MD5

6bfaf13f199eea66483a44878dd5a646
SHA1

03b73d5de0bb7fc3d5ec5c70b32a66f73db5583b
SHA256

26cf8c53b438bd1329b6b45f9b6fb146458c889a4e5dbcd88e4cf393c4676cee
SHA512

eef57fd4e021b5005699e7cba367377c0ee0b051a2fc66c28fb8dc78704838df6ce0002c8d8a41ac6942ee1724ece8b7e53640bc9c54a385859092104042a2f5
SSDEEP

1536:B5FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prnRJiCTSv7ZU:BvS4jHS8q/3nTzePCwNUh4E9zi/zZU

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023149-14.dat	family_gh0strat
behavioral2/files/0x0009000000023149-13.dat	family_gh0strat
behavioral2/memory/4168-15-0x0000000000400000-0x000000000044E30C-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4168	mipvbvdbnu

Executes dropped EXE 1 IoCs

pid	Process
4168	mipvbvdbnu

Loads dropped DLL 3 IoCs

pid	Process
1912	svchost.exe
3248	svchost.exe
4372	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tjqbaeoenq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tjqbaeoenq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\trftihqcbl	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3340	1912	WerFault.exe	96
2808	3248	WerFault.exe	99
2672	4372	WerFault.exe	103

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	mipvbvdbnu
4168	mipvbvdbnu

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4168	mipvbvdbnu
Token: SeBackupPrivilege	4168	mipvbvdbnu
Token: SeBackupPrivilege	4168	mipvbvdbnu
Token: SeRestorePrivilege	4168	mipvbvdbnu
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeRestorePrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeSecurityPrivilege	1912	svchost.exe
Token: SeSecurityPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeSecurityPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeSecurityPrivilege	1912	svchost.exe
Token: SeBackupPrivilege	1912	svchost.exe
Token: SeRestorePrivilege	1912	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeRestorePrivilege	3248	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeSecurityPrivilege	3248	svchost.exe
Token: SeSecurityPrivilege	3248	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeSecurityPrivilege	3248	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeSecurityPrivilege	3248	svchost.exe
Token: SeBackupPrivilege	3248	svchost.exe
Token: SeRestorePrivilege	3248	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeRestorePrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeSecurityPrivilege	4372	svchost.exe
Token: SeBackupPrivilege	4372	svchost.exe
Token: SeRestorePrivilege	4372	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4168	4348	6bfaf13f199eea66483a44878dd5a646.exe	48
PID 4348 wrote to memory of 4168	4348	6bfaf13f199eea66483a44878dd5a646.exe	48
PID 4348 wrote to memory of 4168	4348	6bfaf13f199eea66483a44878dd5a646.exe	48

C:\Users\Admin\AppData\Local\Temp\6bfaf13f199eea66483a44878dd5a646.exe
"C:\Users\Admin\AppData\Local\Temp\6bfaf13f199eea66483a44878dd5a646.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4348
- \??\c:\users\admin\appdata\local\mipvbvdbnu
  "C:\Users\Admin\AppData\Local\Temp\6bfaf13f199eea66483a44878dd5a646.exe" a -sc:\users\admin\appdata\local\temp\6bfaf13f199eea66483a44878dd5a646.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 860
  2⤵
  - Program crash
  PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1912 -ip 1912
1⤵
PID:4900

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1056
  2⤵
  - Program crash
  PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3248 -ip 3248
1⤵
PID:5088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 848
  2⤵
  - Program crash
  PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4372 -ip 4372
1⤵
PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\ehive.cc3

Filesize
92KB

MD5
0948349ed92063f6af1d7b2841416c9e

SHA1
5f1c9f47825e75d0d5d689d0abdde18289f8a824

SHA256
766e3a563c4781cd5638f822607e57b2dedcdfc5b9e72db0244397879ea8299b

SHA512
bebe69644029bc286a57c64ded6910e6fce79bd8ea3aef0dfd223f2ddabe9e13aa17c15453de9ad561202f85cad4c6735e8cc79089935974c58a06bae6e02566

Download Submit
C:\Users\Admin\AppData\Local\mipvbvdbnu

Filesize
349KB

MD5
d483c3b39edfec91bd73835ba84d1855

SHA1
0bdbf8e458f1d1ca84e4332f371a1bfbd4adb5f3

SHA256
7393201eee261139ea2abb0652549c7da3288638c84f2a8088984427c8ae8659

SHA512
ce0acf2c0cafbb9aaac3b6909e70ce76f1f5844107d9819e1700d7c884b638e93ea0d641c083ea4483a916e583b53676de790ae684d881de00c716564af3d30f

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\ehive.cc3

Filesize
381KB

MD5
5b7e6c51879203e2766f6ee78f33e156

SHA1
82de957242be56fcd00faaf512eca7e1d8d97b98

SHA256
5ab7db75a5d73059e4915369aa2f2ca094fc5c848f742749ac974194c2c1f895

SHA512
8753cfeeffbbf469ada28add1d7c1b76aa4650246f4c397d256c0f56e5026ea1bfe3e1c311fe07b6bb9964acc70ed4cadb974e87b027b9f8d928aee2ffc76a1a

Download Submit
\??\c:\users\admin\appdata\local\mipvbvdbnu

Filesize
92KB

MD5
76c000dc4a8f7c35f8ec57e9c98ebe18

SHA1
e5644b532cc24f1adc70e1a23068c2b594f96d0e

SHA256
4a77080fe6165d6bc29202d43d7bf760f8b3a3521b8e9d39b0f2966a26b04d10

SHA512
b5e6240d5a51dfd6e9bc3ee0dc71ceb11b5852306d661ada2c3753299701592c2346d59f2a6aa587a6f824a2ee8c9d03500c33353957375524e1cc5724ff4425

Download Submit
memory/1912-16-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3248-19-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/4168-10-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/4168-15-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/4348-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4348-0-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/4348-7-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/4372-23-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download