gh0strat | a915f8bec41c30c7e93b2170187f0888aec0efd3a16eacb4b466aa70fcf5e59d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f8ef14121f87dc3c1f0fe50da2642b0.exe
Size

95KB
MD5

1f8ef14121f87dc3c1f0fe50da2642b0
SHA1

7d291795e2f6aba675fedaf16f3381b1a576c63c
SHA256

a915f8bec41c30c7e93b2170187f0888aec0efd3a16eacb4b466aa70fcf5e59d
SHA512

90ae368bf91a7899cbd6a90a8f261d6a61c46dae7ec06ce3a07c5997c12dcb6b33b674ea46edf9a5fadb6b96bd6d9be21f42bb3bc859f738056edb0429d034b1
SSDEEP

1536:SYFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prFm2d11C:SKS4jHS8q/3nTzePCwNUh4E9Fm2d11C

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002313a-15.dat	family_gh0strat
behavioral2/files/0x000a00000002313a-14.dat	family_gh0strat
behavioral2/memory/4060-16-0x0000000000400000-0x000000000044E478-memory.dmp	family_gh0strat
behavioral2/files/0x000a00000002313a-19.dat	family_gh0strat
behavioral2/files/0x000a00000002313a-23.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4060	mkhbxduoyd

Executes dropped EXE 1 IoCs

pid	Process
4060	mkhbxduoyd

Loads dropped DLL 3 IoCs

pid	Process
1112	svchost.exe
3392	svchost.exe
5056	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xuiiagkqte	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xdwbijmoha	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\xdwbijmoha	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2180	1112	WerFault.exe	94
3436	3392	WerFault.exe	98
4812	5056	WerFault.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4060	mkhbxduoyd
4060	mkhbxduoyd

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4060	mkhbxduoyd
Token: SeBackupPrivilege	4060	mkhbxduoyd
Token: SeBackupPrivilege	4060	mkhbxduoyd
Token: SeRestorePrivilege	4060	mkhbxduoyd
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeRestorePrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeRestorePrivilege	1112	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeRestorePrivilege	3392	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeSecurityPrivilege	3392	svchost.exe
Token: SeSecurityPrivilege	3392	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeSecurityPrivilege	3392	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeSecurityPrivilege	3392	svchost.exe
Token: SeBackupPrivilege	3392	svchost.exe
Token: SeRestorePrivilege	3392	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeRestorePrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeBackupPrivilege	5056	svchost.exe
Token: SeRestorePrivilege	5056	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4060	4148	1f8ef14121f87dc3c1f0fe50da2642b0.exe	92
PID 4148 wrote to memory of 4060	4148	1f8ef14121f87dc3c1f0fe50da2642b0.exe	92
PID 4148 wrote to memory of 4060	4148	1f8ef14121f87dc3c1f0fe50da2642b0.exe	92

C:\Users\Admin\AppData\Local\Temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe
"C:\Users\Admin\AppData\Local\Temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4148
- \??\c:\users\admin\appdata\local\mkhbxduoyd
  "C:\Users\Admin\AppData\Local\Temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe" a -sc:\users\admin\appdata\local\temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1032
  2⤵
  - Program crash
  PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1112 -ip 1112
1⤵
PID:920

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 884
  2⤵
  - Program crash
  PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3392 -ip 3392
1⤵
PID:4688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 884
  2⤵
  - Program crash
  PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5056 -ip 5056
1⤵
PID:1888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\fhthf.cc3

Filesize
760KB

MD5
de4c51ec27623e0df9864974e8193446

SHA1
ca694e31ea19e8fff23b421497d5254c7b4951f5

SHA256
d7c25e46cd4532baa798b36b3cdd6418ef5754c4f5e949f52b511fe4478335f4

SHA512
a3f57fb46365fe0bbf28a14bc46322d790ad3f32827981cccbe8aaf1ddbf6dfbd081704c631b770cd1e3f60f8d033a8c0c90b80563035644d3d32607ab474208

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\fhthf.cc3

Filesize
469KB

MD5
a85ccb40c93b7c4c2be6876e838187dd

SHA1
2423b2716c6e3b3472320e092629a84cad6f076f

SHA256
2942917bd64a1fd9053a9f1d3514ac9be54043d5fb33d3cd45f1b0fb03e23fc2

SHA512
cf081b1328a43fcb632d032939c6b2f91d0c7c6e09f5d575ed40dddf6143622a64c7713dde48a9566fdf126c7f7d655d9f454d284b246cf97962fd2ca3252b96

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\fhthf.cc3

Filesize
286KB

MD5
dac42a67faa1d2df889154fbd9b19515

SHA1
5289db25a13ec71cd2243c0a9062867f84192fd7

SHA256
d96b0e67e765eae0b857a805f66ab9c890fa480b22e1189e550e09cffc7fdb43

SHA512
f2e536f267e30e44e7e6b065dd45446628d19a6170d83549497f33f84e1d8c9a1573dc0de32c5824864cd29a1c12fd01fb0f5708fc0ee7164f3dd4f7cf48c9e3

Download Submit
C:\Users\Admin\AppData\Local\mkhbxduoyd

Filesize
1.6MB

MD5
020999cc05a0070c5d62278cc75b05bd

SHA1
edf5910bb3f777b36ab01fe9aea11140130e87a7

SHA256
17639f0008a7ee40e5b96d264979cbd30ce9248dced1d0f491d0d8a183837082

SHA512
4aa47ff7c74e1b8f852ad93e552f07ac5df13f31caf7fa6b04297221b3ad92e3d5ae406afe951b58045c81fcfeee98659269986be10b215ae597715d105c4f04

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
001f9a0d17f99a311e717ae25152dfb8

SHA1
45afb6516a50ae3b901b564676da9b427bb45f40

SHA256
1d92505335ff0f9173c59b9f26da42381f8195cc7955f2c932a7b255cb8a573b

SHA512
41d3c2d532ac38a438bb09edd5f876522038e8c69d1d67c869fad7a26c5c315643f04cd3b0b4d30f28960b3010ece937d641b40f4dd8cdde6f20903702d2ad65

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
59bd96c3e174df169ca4a5394e247af0

SHA1
bc202601dbfde0a241dfc4fb38dd0dbf5a4fa334

SHA256
ede6fce443d9f0fd67fb1293d57869f933e9a3337e7a3e67953af70a5903a334

SHA512
2b2d099fff9e33769f361caebbc24556d54b219b41549b01ef1dc4a1311d6beed1f2f8afa74116e48d069e29c5c271a0d7729ad636bd49cb7574e07a6e791158

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\fhthf.cc3

Filesize
1.3MB

MD5
acdcbcdefede1ec8aa906e749cb5078d

SHA1
f53b83b1464f30c0dd808d68993aac4ce316de04

SHA256
97e800060aaba6544d05133de0b95745ff7e6adc7649661ec5d365464b7140dc

SHA512
451dcfeeebabc9e4630ee1a8b08bf2af06f073fd472692b5642e9e0ece63c3e66371c4cef08196705cf5c813844f9a51f75562fe94ecacc667b1e9bca2dcc6f3

Download Submit
\??\c:\users\admin\appdata\local\mkhbxduoyd

Filesize
1.3MB

MD5
d15ee950e32611ac2c6b7130c1870814

SHA1
e97f8ea9ed16fa5fce2ba96e48af42cb2b8f1b85

SHA256
6df5f6d09ba07247082d012073ffc052433a1447c110d0ce035d77bdb56ea9cd

SHA512
138ee5b36b9a2a9599dc79319f03dd314171e381cd8bb4e815e8ea62f716b06f156772f4a631fa790eebd00434b15dbc525c1f459c89b1fc1c830f06e54f7723

Download Submit
memory/1112-17-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3392-20-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/4060-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4060-16-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download
memory/4060-9-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download
memory/4148-0-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download
memory/4148-10-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download
memory/4148-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5056-24-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download