gh0strat | 4fae0e5f3a40eb4ec224a211964012cdec8f1858196a71d9f2ba9e225c1a237a

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

685988f0e34ca67647d7b97f35decedc.exe
Size

96KB
MD5

685988f0e34ca67647d7b97f35decedc
SHA1

0c55b1bbdd5e226a0787ef82aae79c8a7439e78c
SHA256

4fae0e5f3a40eb4ec224a211964012cdec8f1858196a71d9f2ba9e225c1a237a
SHA512

55e0d4d56e1793f440c0fdf3709aeecaf47f177daf9d7b54636aca097753dfe44fd27fa61765d485d54f5636a1c74a26b5e9100d18f11b6a6b3f33eb048c4c04
SSDEEP

1536:0QFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prQK7DPOQnZHTa:0iS4jHS8q/3nTzePCwNUh4E9L7pZHTa

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000d00000002301c-13.dat	family_gh0strat
behavioral2/memory/4688-15-0x0000000000400000-0x000000000044E338-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4688	ihxewfjomc

Executes dropped EXE 1 IoCs

pid	Process
4688	ihxewfjomc

Loads dropped DLL 3 IoCs

pid	Process
228	svchost.exe
1668	svchost.exe
3216	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vwvbwemdwi	svchost.exe
File created	C:\Windows\SysWOW64\vnosltyrkk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\verecadmla	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\vniiobjfkn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3776	228	WerFault.exe	90
2636	1668	WerFault.exe	96
2488	3216	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4688	ihxewfjomc
4688	ihxewfjomc

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4688	ihxewfjomc
Token: SeBackupPrivilege	4688	ihxewfjomc
Token: SeBackupPrivilege	4688	ihxewfjomc
Token: SeRestorePrivilege	4688	ihxewfjomc
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeRestorePrivilege	3216	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeSecurityPrivilege	3216	svchost.exe
Token: SeSecurityPrivilege	3216	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeSecurityPrivilege	3216	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeSecurityPrivilege	3216	svchost.exe
Token: SeBackupPrivilege	3216	svchost.exe
Token: SeRestorePrivilege	3216	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4688	3484	685988f0e34ca67647d7b97f35decedc.exe	89
PID 3484 wrote to memory of 4688	3484	685988f0e34ca67647d7b97f35decedc.exe	89
PID 3484 wrote to memory of 4688	3484	685988f0e34ca67647d7b97f35decedc.exe	89

C:\Users\Admin\AppData\Local\Temp\685988f0e34ca67647d7b97f35decedc.exe
"C:\Users\Admin\AppData\Local\Temp\685988f0e34ca67647d7b97f35decedc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- \??\c:\users\admin\appdata\local\ihxewfjomc
  "C:\Users\Admin\AppData\Local\Temp\685988f0e34ca67647d7b97f35decedc.exe" a -sc:\users\admin\appdata\local\temp\685988f0e34ca67647d7b97f35decedc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1052
  2⤵
  - Program crash
  PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 228 -ip 228
1⤵
PID:2556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1108
  2⤵
  - Program crash
  PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1668 -ip 1668
1⤵
PID:2832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 928
  2⤵
  - Program crash
  PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3216 -ip 3216
1⤵
PID:1012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ihxewfjomc

Filesize
21.1MB

MD5
0e40ae7a1d1df15a7be844a251123c71

SHA1
e0c8ceed99d060a070dcb0df5782a54a1226626b

SHA256
51ea68986f3343e9e492739ac81f8e765d5462b467e7eea86aa392112f602f84

SHA512
64d02d112a51717b451e9f1fdb747a7a3c1806d64e9fa9ffc8c10344d04b94444039e8456fc7361cbf3640b0de956457b5738a048653de0bd3884d4c7b5d2181

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
d74727b4dbcb05b6dafa505c55fe3cf4

SHA1
446e07bda5b938a772ca5cad7b1e71de78d5882f

SHA256
f0e60f1fee0eaf1d23004c824d91dbbe368b30a3ff63081661cdba034c114fa3

SHA512
4b867ed381ab1904e086d189863c20b9c6a601a9707fcc287123092db781e88331325573c5515993816bfa6424b134e05266fe75dd8e2b89a7e5fa1f4fb5c1ac

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
a48e2c79d5c249bf0b6986e6853f7c0c

SHA1
f65908eeb1d93967fb3ef09d1a2a2c74655bd7de

SHA256
1a54b2abd1385c4fcb268217bba4a893804685195f2ba93992b92622aa212103

SHA512
f8a67c9d015c25a4fee50be882187ec2f9360bc9eaee6588566ccbf61f14e489f27b23acb01f5c19ba0962419220facc3a41dd27c01d4d4a03e1fa8035696217

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\fyqtb.cc3

Filesize
19.0MB

MD5
2758c0e20bcf867afd8fd52069678209

SHA1
6c78af86b848c69ca7baa30aa8c26291a19c82b4

SHA256
0869a7d7884f1335975ba622a488df78ab24b7d03dadf1aae8743a3359de3aef

SHA512
d838e9a06960df314e3c694aefe47668a55c0685ce40ad7341a5a7538b51ad6877e63d58399842f668ccd8985cd0835ca069877344454c97721d2c6756fa7b48

Download Submit
memory/228-17-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/1668-20-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3216-24-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/3484-0-0x0000000000400000-0x000000000044E338-memory.dmp

Filesize
312KB

Download
memory/3484-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3484-10-0x0000000000400000-0x000000000044E338-memory.dmp

Filesize
312KB

Download
memory/4688-9-0x0000000000400000-0x000000000044E338-memory.dmp

Filesize
312KB

Download
memory/4688-15-0x0000000000400000-0x000000000044E338-memory.dmp

Filesize
312KB

Download