gh0strat | 27f59251422932e92eda4b1ea0064c2dd86d005830646da316e9e6511f1c8bdc

General

Target

eb867fa5310709ec60c8b51f768dcf5d.exe
Size

96KB
MD5

eb867fa5310709ec60c8b51f768dcf5d
SHA1

2d61c3813518c310972a8578b90a51d2161058e5
SHA256

27f59251422932e92eda4b1ea0064c2dd86d005830646da316e9e6511f1c8bdc
SHA512

f76b246351b212ab5ab8e12abda8522f98338030e6e976cc8526b84c0c817db871bb2ba5e617e1c956fb15bbea037cc08103c9826bb5e0df3ff2e71ffc724788
SSDEEP

1536:6uFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prI7HlnxyHTH:6US4jHS8q/3nTzePCwNUh4E9I7H98HD

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023227-14.dat	family_gh0strat
behavioral2/files/0x0008000000023227-15.dat	family_gh0strat
behavioral2/memory/1204-16-0x0000000000400000-0x000000000044E318-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000023227-19.dat	family_gh0strat
behavioral2/files/0x0008000000023227-23.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1204	chjlivvgyj

Executes dropped EXE 1 IoCs

pid	Process
1204	chjlivvgyj

Loads dropped DLL 3 IoCs

pid	Process
1112	svchost.exe
3128	svchost.exe
3328	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qrhywkrgnm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qavsenteah	svchost.exe
File created	C:\Windows\SysWOW64\qamxdwcwns	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\qqojtdgsnj	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2904	1112	WerFault.exe	93
3400	3128	WerFault.exe	97
3440	3328	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1204	chjlivvgyj
1204	chjlivvgyj

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeRestorePrivilege	1204	chjlivvgyj
Token: SeBackupPrivilege	1204	chjlivvgyj
Token: SeBackupPrivilege	1204	chjlivvgyj
Token: SeRestorePrivilege	1204	chjlivvgyj
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeRestorePrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeSecurityPrivilege	1112	svchost.exe
Token: SeBackupPrivilege	1112	svchost.exe
Token: SeRestorePrivilege	1112	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeRestorePrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeSecurityPrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3128	svchost.exe
Token: SeRestorePrivilege	3128	svchost.exe
Token: SeBackupPrivilege	3328	svchost.exe
Token: SeRestorePrivilege	3328	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 1204	4308	eb867fa5310709ec60c8b51f768dcf5d.exe	91
PID 4308 wrote to memory of 1204	4308	eb867fa5310709ec60c8b51f768dcf5d.exe	91
PID 4308 wrote to memory of 1204	4308	eb867fa5310709ec60c8b51f768dcf5d.exe	91

C:\Users\Admin\AppData\Local\Temp\eb867fa5310709ec60c8b51f768dcf5d.exe
"C:\Users\Admin\AppData\Local\Temp\eb867fa5310709ec60c8b51f768dcf5d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4308
- \??\c:\users\admin\appdata\local\chjlivvgyj
  "C:\Users\Admin\AppData\Local\Temp\eb867fa5310709ec60c8b51f768dcf5d.exe" a -sc:\users\admin\appdata\local\temp\eb867fa5310709ec60c8b51f768dcf5d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 792
  2⤵
  - Program crash
  PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1112 -ip 1112
1⤵
PID:3848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 852
  2⤵
  - Program crash
  PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3128 -ip 3128
1⤵
PID:3656

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1060
  2⤵
  - Program crash
  PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3328 -ip 3328
1⤵
PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\yekjj.cc3

Filesize
45KB

MD5
30203266dd69f9e7dc0402d209471e1f

SHA1
ba83c3476e0568207852b2718d99b792b4e881a6

SHA256
7f5242aca79301b6f583869db33c763937293b4240c9fc8521b586634c3fdf31

SHA512
000ef14397bf782015b470e2ad7b3ad16868cd207fa838734ac904ccb41ef7e694469772b913907ba78b3b5d184ff36258987b8ee13744cecdb331148eede86f

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\yekjj.cc3

Filesize
36KB

MD5
cd17d30b17be9d03ffdcb32d1f358c13

SHA1
70fac90037300b95095f670b3067e72cf30665d4

SHA256
959fb8dd330a4afa724d776ff6c660b42c5fc72be4485b0c77654d7c6e305e37

SHA512
a72a484bea344d8787536b5b16bfd66fb427ed776317991562aca7f563905575aa1c0952b308e6d4b90fd5e3568073a65729abe9bfce9d5c378fd4eab1e73a60

Download Submit
C:\Users\Admin\AppData\Local\chjlivvgyj

Filesize
945KB

MD5
0b10961bd7726b55211e440da3bcfffc

SHA1
89e88451d5f6834128d4784b3620eecdc12f7908

SHA256
67ff4caab416c8a4175930d5a5a26ef54fede88a91e8a599eeb4d1716c860816

SHA512
629db73578d401602a2219528435c5feee51ec6a7591ba1f6fb6e68fbb841a0ffcf5796c80008fcc5ba5a68f6271f33d6f608449198ca86065991a0c7a9114f5

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
6ff48b0f4575716912f79579689c3178

SHA1
1bec9a060e090f18e5ff686b05b18d44dd637fd0

SHA256
e4215469e5c4f776932717c38c85138cb70ae868b4d0e15dbfa5d900ddb07739

SHA512
bf9a9a43e050dff1004e0ed147b598b0d5ce49107a4c8d5f0dd8bb055b66dcb5ae079da3587d2d5b88342c8720ffafbfedfe47d26dde98b65a4861c5e7be2d2f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
aa4845800145b95b3693beb805574c69

SHA1
ed504a198734dbe597f74b2d6a9dfe06125bee91

SHA256
b849b434e4745e554c67c24e7746b7ba1512ae6498fe010e4c936a14b191a90e

SHA512
2ce97e4a1558f21e867325a46f97edd4fb2e8dd5d4e4c0d3068745a123f32236f145b6317c2c62d94f54c0424ac0461e26e35c027ba7831c14bf5d6f8693c9fb

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\yekjj.cc3

Filesize
99KB

MD5
676b15b6be0e6214b35959b5bf103d2d

SHA1
f83dc9608f208f92f2cc45ea0cb7033cb8009d8c

SHA256
6318e8c46b3a17339097ad7db3a09aeed7848bb9d87f75315ed1be6938899651

SHA512
2d7a8c0d4f544a292b0a6694cbc7da84134cecf6be4e4792905e4d15683b29780ca509be9f6cf22b1e0ebf12e54448373020de6f69fa43eb7113f75367877932

Download Submit
\??\c:\users\admin\appdata\local\chjlivvgyj

Filesize
320KB

MD5
9f58b39ebc1e75d4db2bc6a09014a5ed

SHA1
c4a6a88fdb91a5e404fb708ce34c3e5ce013ab6c

SHA256
aeb871c23ffc01047c30d19adb810263058b06d6d415f5ae83a43deb82c6c9b9

SHA512
0891d428345a646fe21dfbd2ba935362a88cd30da804d7bd211f42bb0f7a7f1570f5a6c1fa135ffcf17b7a365e57ff760895588c3ac4a36fb7a8ff00533c72f5

Download Submit
memory/1112-17-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/1204-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/1204-16-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/3128-20-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/3328-24-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/4308-0-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/4308-10-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/4308-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing