gh0strat | 28d6550ecd85749c68dd2d947769e977aedc1a7887ca4a415106b0dd4b792370

General

Target

371ac34cd998b94b6d0abe94f43dee70.exe
Size

95KB
MD5

371ac34cd998b94b6d0abe94f43dee70
SHA1

f09f974beb7df42de9dec5a5d2b09afeb302f78d
SHA256

28d6550ecd85749c68dd2d947769e977aedc1a7887ca4a415106b0dd4b792370
SHA512

d2152f1b678f2f8f3dd347d919aa900ac35c254ad11af0ebb87ba44f7db2648bd6a089c405d722d76d4a0b1844737c2336a15234c5447f9339b27ef8225219a7
SSDEEP

1536:vRFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prklvQKLrW:vHS4jHS8q/3nTzePCwNUh4E9ojLrW

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000b0000000230f0-14.dat	family_gh0strat
behavioral2/files/0x000b0000000230f0-13.dat	family_gh0strat
behavioral2/memory/4188-15-0x0000000000400000-0x000000000044E3E8-memory.dmp	family_gh0strat
behavioral2/files/0x000b0000000230f0-18.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4188	mprtkboyuc

Executes dropped EXE 1 IoCs

pid	Process
4188	mprtkboyuc

Loads dropped DLL 3 IoCs

pid	Process
1012	svchost.exe
1584	svchost.exe
4320	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ryslrxtrmo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ryslrxtrmo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2544	1012	WerFault.exe	94
1140	1584	WerFault.exe	98
4672	4320	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4188	mprtkboyuc
4188	mprtkboyuc

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeRestorePrivilege	4188	mprtkboyuc
Token: SeBackupPrivilege	4188	mprtkboyuc
Token: SeBackupPrivilege	4188	mprtkboyuc
Token: SeRestorePrivilege	4188	mprtkboyuc
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeRestorePrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeSecurityPrivilege	1012	svchost.exe
Token: SeSecurityPrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeSecurityPrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeSecurityPrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1012	svchost.exe
Token: SeRestorePrivilege	1012	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeRestorePrivilege	1584	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeSecurityPrivilege	1584	svchost.exe
Token: SeSecurityPrivilege	1584	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeSecurityPrivilege	1584	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeSecurityPrivilege	1584	svchost.exe
Token: SeBackupPrivilege	1584	svchost.exe
Token: SeRestorePrivilege	1584	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4188	4976	371ac34cd998b94b6d0abe94f43dee70.exe	92
PID 4976 wrote to memory of 4188	4976	371ac34cd998b94b6d0abe94f43dee70.exe	92
PID 4976 wrote to memory of 4188	4976	371ac34cd998b94b6d0abe94f43dee70.exe	92

C:\Users\Admin\AppData\Local\Temp\371ac34cd998b94b6d0abe94f43dee70.exe
"C:\Users\Admin\AppData\Local\Temp\371ac34cd998b94b6d0abe94f43dee70.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- \??\c:\users\admin\appdata\local\mprtkboyuc
  "C:\Users\Admin\AppData\Local\Temp\371ac34cd998b94b6d0abe94f43dee70.exe" a -sc:\users\admin\appdata\local\temp\371ac34cd998b94b6d0abe94f43dee70.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 856
  2⤵
  - Program crash
  PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1012 -ip 1012
1⤵
PID:3372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 936
  2⤵
  - Program crash
  PID:1140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1092
  2⤵
  - Program crash
  PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1584 -ip 1584
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4320 -ip 4320
1⤵
PID:4044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\xfbky.cc3

Filesize
916KB

MD5
46ecd5e72576d162bbad04893d98beb3

SHA1
26bbc75de934ff81f52a13ef15e6b5da98f0ea90

SHA256
76a11f5021220146532c08167fb2be7394f3ebbd43bc6666a7c8697495e23ded

SHA512
ba19a8a36bc7c4d8e48fe40fc171fa5f4dc466d68a3d9fb76a5f7f4cd9f5a2f9b547c4b89f8f63eb69bcb862628f87f301cd4ff0de0e1fea171efcf653da708f

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\xfbky.cc3

Filesize
92KB

MD5
a5b30680f77d31475c8610889f105a1d

SHA1
76d1388b39d680402cecbe8dffe75052b04aa74a

SHA256
140b8bf56825438dfa436eab63336d3b52e0584e55cdb74932c89cfd43035d7a

SHA512
e238f50b6d125daf5e67b9f5e2279e3abb584fe0694caad5a62267e8bed33a1a3ac09658e200ccafe8eef710d102377bf992352210870a02b1127a9e4a790cb6

Download Submit
C:\Users\Admin\AppData\Local\mprtkboyuc

Filesize
3.4MB

MD5
474571974dbb8829da4ad5292ca7ef90

SHA1
e88a2dea21f9121b01010bfc873539fe757a61e1

SHA256
4afbfc27b43e294a0fa63d85b629b999e9719a373e9e27f7fce8b0b57fc862e2

SHA512
a0b0a68bdcc4c56ca6edeb9353bd312e984730230735683004debbbf7c67f2029d98fcc8b46bbfdec4ec7540ef422f4e4881acf88bbe18285152640ed04ee9ce

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xfbky.cc3

Filesize
1.9MB

MD5
a448c8a6c264b28f784cb11e4af99b2a

SHA1
2a1408851ee19e1351d990b654b2c1c90e429fff

SHA256
7736ea2de6d5f20ae25bbba4933a326291c5df4b69e65529f38a81fd33e10c6e

SHA512
54836563f8916b23831ab43c940880259b0962c9e75b1d76933ecb66b9b063f6dc44caea5b2092f832731fe69fff35fa9ee12305de81b9a9253eff83ec031a1f

Download Submit
\??\c:\users\admin\appdata\local\mprtkboyuc

Filesize
2.2MB

MD5
7318f325e20352e894f143aad7f546db

SHA1
b27bf5190b40101c6251683c38c929ff6fc369a2

SHA256
fce17a853dfd841c6c169451fc1ac7bf32afdf9e61a13aa11bc8555bdeecd047

SHA512
23659d9fa9b7060d66b5d9f46ba0ca703e1f02583ebc7690b426561d7ebf1c30638b638cdb0fa9a77d629c502c77b1bc63b384270c329724c159a591910b4769

Download Submit
memory/1012-16-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/1584-19-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/4188-8-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download
memory/4188-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4188-15-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download
memory/4976-9-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download
memory/4976-0-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download

Analysis

Sharing