gh0strat | 6868d3eb140a87cd85358038f3a87e9671d26bf8ba7b4553ca1b609e40e701ed

Analysis

max time kernel
53s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45610275588f9dae03a24529bb808eae.exe
Size

135KB
MD5

45610275588f9dae03a24529bb808eae
SHA1

1473e765bee15c12a139b78382a2572b2f3a599f
SHA256

6868d3eb140a87cd85358038f3a87e9671d26bf8ba7b4553ca1b609e40e701ed
SHA512

2d1121958fb272c6533a74474f961920d045f3e1d57ecfe686a1e9a0a1191badfbdc84c1301f314a2de8559d1ebb3190597818a12d53047741788b5946830649
SSDEEP

3072:o3c1fP4AJJYCPZ78gb1QBJci1UtMxYGSbKaJoq7:SOPjnB/b1QMTaoh

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000800000002321a-23.dat	family_gh0strat
behavioral2/files/0x000800000002321a-24.dat	family_gh0strat
behavioral2/memory/2816-25-0x0000000000400000-0x000000000243A000-memory.dmp	family_gh0strat
behavioral2/files/0x000800000002321a-28.dat	family_gh0strat
behavioral2/files/0x000800000002321a-32.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4728	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	66621.exe
2816	fskddpdhhm

Loads dropped DLL 3 IoCs

pid	Process
4760	45610275588f9dae03a24529bb808eae.exe
2972	svchost.exe
4184	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cerjutbhcs	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cdhosdiaoe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 4728	4760	45610275588f9dae03a24529bb808eae.exe	95

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\%TOOYUAMER%\66621.exe	45610275588f9dae03a24529bb808eae.exe
File created	\??\c:\program files (x86)\fskddpdhhm	66621.exe
File opened for modification	\??\c:\program files (x86)\fskddpdhhm	66621.exe
File created	C:\Program Files (x86)\%TOOYUAMER%\qqofojgowv	fskddpdhhm

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2656	2972	WerFault.exe	101
4596	4184	WerFault.exe	105
640	3440	WerFault.exe	109

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	fskddpdhhm
2816	fskddpdhhm

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	2816	fskddpdhhm
Token: SeBackupPrivilege	2816	fskddpdhhm
Token: SeBackupPrivilege	2816	fskddpdhhm
Token: SeRestorePrivilege	2816	fskddpdhhm
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeRestorePrivilege	2972	svchost.exe
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeSecurityPrivilege	2972	svchost.exe
Token: SeSecurityPrivilege	2972	svchost.exe
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeSecurityPrivilege	2972	svchost.exe
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeSecurityPrivilege	2972	svchost.exe
Token: SeBackupPrivilege	2972	svchost.exe
Token: SeRestorePrivilege	2972	svchost.exe
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeRestorePrivilege	4184	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2184	4760	45610275588f9dae03a24529bb808eae.exe	94
PID 4760 wrote to memory of 2184	4760	45610275588f9dae03a24529bb808eae.exe	94
PID 4760 wrote to memory of 2184	4760	45610275588f9dae03a24529bb808eae.exe	94
PID 4760 wrote to memory of 4728	4760	45610275588f9dae03a24529bb808eae.exe	95
PID 4760 wrote to memory of 4728	4760	45610275588f9dae03a24529bb808eae.exe	95
PID 4760 wrote to memory of 4728	4760	45610275588f9dae03a24529bb808eae.exe	95
PID 4760 wrote to memory of 4728	4760	45610275588f9dae03a24529bb808eae.exe	95
PID 2184 wrote to memory of 2816	2184	66621.exe	97
PID 2184 wrote to memory of 2816	2184	66621.exe	97
PID 2184 wrote to memory of 2816	2184	66621.exe	97

C:\Users\Admin\AppData\Local\Temp\45610275588f9dae03a24529bb808eae.exe
"C:\Users\Admin\AppData\Local\Temp\45610275588f9dae03a24529bb808eae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files (x86)\%TOOYUAMER%\66621.exe
  "C:\Program Files (x86)\%TOOYUAMER%\66621.exe" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2184
- - \??\c:\program files (x86)\fskddpdhhm
    "C:\Program Files (x86)\%TOOYUAMER%\66621.exe" /S a -sc:\program files (x86)\%tooyuamer%\66621.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  PID:4728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 860
  2⤵
  - Program crash
  PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2972 -ip 2972
1⤵
PID:4424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1112
  2⤵
  - Program crash
  PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4184 -ip 4184
1⤵
PID:1924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1108
  2⤵
  - Program crash
  PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3440 -ip 3440
1⤵
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\%TOOYUAMER%\66621.exe

Filesize
232KB

MD5
b72ad4d7dc70773f4689bea16dd5adde

SHA1
c18c507a8ebcaf7b1cc2fcd8d891468c687d6652

SHA256
2f1e045d0d8517b2684f2fdaed2c0f87e8ad6d902308cd4a7a337339ba14beb9

SHA512
411bebd6705f19edac186a6a3f75a2b0c15fcdb8ea276a73673343bc74d9196b0465c6ccf31140252242e81d2eada4de09b7ad551e917638fedd3f929a7b16b7

Download Submit
C:\Program Files (x86)\%TOOYUAMER%\66621.exe

Filesize
167KB

MD5
84f91074680398fab251245719f20a77

SHA1
1804a09381afd6ba06cc060123d69f112ba15b4c

SHA256
c6b54d125bfd634147b8d10aa3b225cc2e22f09e9e9812b142feff3c253c27f4

SHA512
6b4adb61f71dd030731f1673dfe6af312f9fa67c1692147ba22f7cf221a5dbb0624fe7323f61b74a3b7e80d76a0f44d81f228db0223c62793a669849a2663485

Download Submit
C:\Program Files (x86)\fskddpdhhm

Filesize
42KB

MD5
50f69a9fb5cc36873ce5430e15d8bb34

SHA1
229736e2d665a66aabe3473cbcde15e7981b2bf4

SHA256
91bbcabbd0ed282ebc9bf21552c024ee1450ae286bedbb1a0fa15ff4049c4cb5

SHA512
f2d6d7ee118b395e136322bae83e22cf6d74c10510e9e28630997e141d115f27ea4fa8b1cd54bb3504ccad13a14d9362ea3043f4afed5d8b4396aaf85fb3e48b

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\bfmfo.cc3

Filesize
32KB

MD5
65307aaa2c69908f5fb3312c414a5363

SHA1
4bf3900bf74d4d0cc4ac99b294b7cb6018124601

SHA256
f791056b53b5c70e5742a5d8a05ad4aa365135952b4cdf5ebf0457b562948ca8

SHA512
199a36f3fc13de2f7f55de3c05e2c19f6581728d00f50c855a9e5737183f65e17a6322e0616322478ae0873773054e2d324db355038ebc7818bdc8b4be4fab6b

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\bfmfo.cc3

Filesize
36KB

MD5
d518796ccfba958bee9e9f9d75a44b7e

SHA1
f6ad99182aa6d08100c35b65d09db2a350a62cf4

SHA256
7af0e02f969a3ef413a645a0dd2af1cd5f8b1436f86e5af9aec9c844c43ed4c7

SHA512
6ae64ff1a968137b67f8a4163681659d8028bfbcd4d46ac96d63e5a142b44cecc81f0bb3a10bfec619203fc3c8b2ec09d3320214db3f89001cb9766f6171f1aa

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\bfmfo.cc3

Filesize
7KB

MD5
b67976dd870e9e930c1f0ab47d0f88e4

SHA1
33902ae7689c6213ac52807f38f6fe457605af13

SHA256
38cc76492e1f25254dbe84c6dda0f1e99c56be9b25ad040769110724a4d8b694

SHA512
2ed424408b85d9285a29e86168c64aec5a80b17a6339795c0c0808d728036fcab6336c3bcf859ef7bb2f7d06599481eb8cd23518c26c8ebc61848be74163fd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq702.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
a19c6b3261b4174947162e9eea2bcd57

SHA1
58151437fc2c6604ee809f7fbb88186c2f8168c6

SHA256
68993620a81d163ece86c59ae427d1c6776628fa91cc7b887fffb5b2f6b44fe2

SHA512
c6eeee4da8aa4af31c86c9ef9b894c5c834bf488fb876fcca2b97d0995be411406a4869dd870e0c84113c0a017f224a6dcdc59edeeaa840b6896b23f0abe25df

Download Submit
\??\c:\program files (x86)\fskddpdhhm

Filesize
50KB

MD5
1c628f9deaf5b70685b8a6164acbc16f

SHA1
8d7c3a3672df81508a023da00956575ec6bb267c

SHA256
70ef2a8ffe7c83f1f18c55f10faacfa7988cce207d63f317864713a3bcd4ce95

SHA512
76c3410c847bd518b015f1cf1bed6ce912aa6ee1d022a9924ee9b9d5b2af3eed444f2f8111ef4a22baa5b28bafe9dbe55d380b006bb793efa5d1b252a4322d9b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\bfmfo.cc3

Filesize
43KB

MD5
dacd2e13aea4b63ab4ce5731e93e9e0b

SHA1
488b83bb1470722698735149c497707a29596cd0

SHA256
003544af4073719de6b95e7f7770ce98a9ef735a6b77bcbcc3c23da3bf0067e5

SHA512
7ca81a4fbd84dcbc3dd931deba758170c46ad58f30c80e83900ad4c9b0f489ebc426c2447f52d6f77552d8f38a95f607f358f5fb2e00d5f77c3ec3d4a8710a1e

Download Submit
memory/2184-13-0x0000000000400000-0x000000000243A000-memory.dmp

Filesize
32.2MB

Download
memory/2184-18-0x0000000000400000-0x000000000243A000-memory.dmp

Filesize
32.2MB

Download
memory/2816-25-0x0000000000400000-0x000000000243A000-memory.dmp

Filesize
32.2MB

Download
memory/2816-20-0x0000000000400000-0x000000000243A000-memory.dmp

Filesize
32.2MB

Download
memory/2972-26-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/3440-33-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4184-29-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download