gh0strat | bb74a9bea6c71ce682c75baaef31165c06a8ed5ad780aab64449c812eb275475

Analysis

max time kernel
148s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

028289b4af9c7c35809b30f64b2367b5.exe
Size

95KB
MD5

028289b4af9c7c35809b30f64b2367b5
SHA1

c81fb7ddce0999bdbba1ce1767d487e1ce02659f
SHA256

bb74a9bea6c71ce682c75baaef31165c06a8ed5ad780aab64449c812eb275475
SHA512

ae5ef9bdb5a9e232fdf2c5066d93722d352ba392e8174c8b32c5162186e5b0ed0959726210313ac7bc1293da2c69483a50459408875ffdc84e987b1b68f91fa0
SSDEEP

1536:fHFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prnMW5mb5EOs:fxS4jHS8q/3nTzePCwNUh4E9nWbGOs

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023238-15.dat	family_gh0strat
behavioral2/files/0x0008000000023238-14.dat	family_gh0strat
behavioral2/memory/1788-16-0x0000000000400000-0x000000000044E348-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000023238-19.dat	family_gh0strat
behavioral2/files/0x0008000000023238-23.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1788	hrbhtohemo

Executes dropped EXE 1 IoCs

pid	Process
1788	hrbhtohemo

Loads dropped DLL 3 IoCs

pid	Process
4632	svchost.exe
2748	svchost.exe
4172	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\perwusbkpv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pnfqdvdicr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pnfqdvdicr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4192	4632	WerFault.exe	98
2708	2748	WerFault.exe	102
3396	4172	WerFault.exe	105

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1788	hrbhtohemo
1788	hrbhtohemo

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1788	hrbhtohemo
Token: SeBackupPrivilege	1788	hrbhtohemo
Token: SeBackupPrivilege	1788	hrbhtohemo
Token: SeRestorePrivilege	1788	hrbhtohemo
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeRestorePrivilege	4632	svchost.exe
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeSecurityPrivilege	4632	svchost.exe
Token: SeSecurityPrivilege	4632	svchost.exe
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeSecurityPrivilege	4632	svchost.exe
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeSecurityPrivilege	4632	svchost.exe
Token: SeBackupPrivilege	4632	svchost.exe
Token: SeRestorePrivilege	4632	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeRestorePrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeRestorePrivilege	2748	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeRestorePrivilege	4172	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeSecurityPrivilege	4172	svchost.exe
Token: SeSecurityPrivilege	4172	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeSecurityPrivilege	4172	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeSecurityPrivilege	4172	svchost.exe
Token: SeBackupPrivilege	4172	svchost.exe
Token: SeRestorePrivilege	4172	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1788	4480	028289b4af9c7c35809b30f64b2367b5.exe	93
PID 4480 wrote to memory of 1788	4480	028289b4af9c7c35809b30f64b2367b5.exe	93
PID 4480 wrote to memory of 1788	4480	028289b4af9c7c35809b30f64b2367b5.exe	93

C:\Users\Admin\AppData\Local\Temp\028289b4af9c7c35809b30f64b2367b5.exe
"C:\Users\Admin\AppData\Local\Temp\028289b4af9c7c35809b30f64b2367b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4480
- \??\c:\users\admin\appdata\local\hrbhtohemo
  "C:\Users\Admin\AppData\Local\Temp\028289b4af9c7c35809b30f64b2367b5.exe" a -sc:\users\admin\appdata\local\temp\028289b4af9c7c35809b30f64b2367b5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1092
  2⤵
  - Program crash
  PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4632 -ip 4632
1⤵
PID:2204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 916
  2⤵
  - Program crash
  PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2748 -ip 2748
1⤵
PID:4216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 884
  2⤵
  - Program crash
  PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4172 -ip 4172
1⤵
PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\oncvj.cc3

Filesize
56KB

MD5
ab46fb2c50a66ae848b7ddf7c1ce0eb6

SHA1
0315a4e6fb0686467eb7c68e95bb23755bc8ca4e

SHA256
e0badc39bda769ccdfa658437bc390adadd364728ac9c9bf9e87ef0464431b2d

SHA512
6c0ab364712037684ffdd0b7cadfe556bad52297b9bdc5b3dcf45d830d558a95d66774c25274c26a7bca99df821f8f255cf6338301341d2df8d9d5ba433d97af

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\oncvj.cc3

Filesize
293KB

MD5
fccd262fc28f1bb797a5a88266b5ee8d

SHA1
764ca301895d25b2a470255c0c4528d26b10ffac

SHA256
b7f9b03b9c17cbabb2f23d85780413648ef6916de376a50051977d26adc526cb

SHA512
b9383e1378305be33c49682d4bb664eb86c4eba845644f25c72a54681d45286c6638bd863433ebcd5c4f090df95a3f243a0350d5328a9de5cd0ca833c7903a34

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\oncvj.cc3

Filesize
229KB

MD5
e3f045368383ef4dea2cac256735b166

SHA1
5657aac76cdb49fc46635a057ae9ebeaa3fdf360

SHA256
7cd5ce0c09c0e01902f393ed9097e424e7e62c5c2e1c16e6e3ee42e914ce6801

SHA512
2cf02615dd2d95c87f8a499f7d1b38c038e6acbb81dbb46f5a8de53c0e9b4cad150530f06de671ec250fee47ad22c8058c9621d2af00ecf6bc78548042beabb4

Download Submit
C:\Users\Admin\AppData\Local\hrbhtohemo

Filesize
535KB

MD5
b4129c902e23f447d9a4f8d4c6447f1e

SHA1
3f86dc849dd78d9b67da498887108e7d144b289a

SHA256
491e13c6c78535870e0dedb4282856855bfcb01f0815afc7aced4a5f9854856d

SHA512
2f943094744e2e275c5d113c213a9610d505924f79fa1e9d38d606d0f5b7a957224920f7e56e378f2cbddf604fb2e4e8316b17a17c51c476ce5f9da14eba5032

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
f5a5bed5f269a93a4e11b16280115368

SHA1
3eb52315a74adfba15262a7c8e63e54a79cfe510

SHA256
681e713ce42466bfd1c714016d89f19b6f99808f17cf99d68e391416997b895f

SHA512
0996061a2cc1f5eb28f6526d0595b21d0877dcfbc5442c7a4bc756dc9ec13843bf9845e2318d9401f67a0f0d170d9b78f2736fb54f6f912806c75af1aee6e5e6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
d9fe5efd01c0c64dcc82d75e3e8f2991

SHA1
c696a34bc9fdb7c46aa9ccf76ec2a390cdc65e00

SHA256
af8e2c3b195b9a7c859680a270e7cf077f834007789dd8785823a494c3c18bb5

SHA512
f185895902f0fc7989e0912e36387f7cb89811688f01b41620e1d242dc026426473117b7496ae454a7080deaaf42a365b2108a92b50bba56b09c3af6904f11a4

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\oncvj.cc3

Filesize
107KB

MD5
fd6df1157d36f969407bc8ae92efd3a2

SHA1
9130d41162257da7b2f61ecc9f26d3d55b30064e

SHA256
9d17c65633b40cd6476552cdaa59bc74efbfa018bea18c3c4d4dda7a71164a72

SHA512
34d70557d341a9b441925f620e7fe000159bb471b803746edbc3809dda71c71269850b1252fe124bbf7c035251dd040486929eaeb9a881463b4c3693b1a51b88

Download Submit
\??\c:\users\admin\appdata\local\hrbhtohemo

Filesize
418KB

MD5
bbd4cb28016a00fcb0be875c0f814f73

SHA1
c01bb725bf397fb316529930a22aed36da154c4f

SHA256
42c5ec624bdf1a42a7cf3d4c39ff9385d276a4f1c78ca27b636667abf323c301

SHA512
364c1c2637d2ada4e89f3f19d44df4b71a023cc881dc5a53a8dd0d82674fe79d0f67aff741793c74c2d38aac6abf80248e355f5feb7f33908e965840f8f62bb8

Download Submit
memory/1788-16-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/1788-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1788-10-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/2748-20-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/4172-24-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4480-7-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/4480-0-0x0000000000400000-0x000000000044E348-memory.dmp

Filesize
312KB

Download
memory/4480-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4632-17-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download