gh0strat | 0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe
Size

3.4MB
MD5

b2c4d176987ff64aa25fc66a3e6a210d
SHA1

d1bbf8af6cbc29fbf436598e79d1405810cb3281
SHA256

0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468
SHA512

99fa6b3687224d274b7f4c55d2627ebbafa8e224c23d56327586dae16a6459e143b2785e65a5f507e0c1d3d7314aca169c46ce6f410616d90ba423d56c1aa2fc
SSDEEP

98304:SyWe88ZahVMFO0MM+AHQB7j13y/NIhCqw:4clFO0neMBq

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 13 IoCs

resource	yara_rule
behavioral2/memory/1572-39-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/1572-40-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/1572-41-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/1572-42-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/4080-67-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/836-76-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/836-77-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/836-78-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/4644-93-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/4712-96-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/4712-97-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/836-100-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral2/memory/4712-104-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cookie.exe

Executes dropped EXE 6 IoCs

pid	Process
4916	svchosts.exe
1572	cookie.exe
4080	svghosts.exe
836	svghosts.exe
4644	svghosts.exe
4712	svghosts.exe

Loads dropped DLL 1 IoCs

pid	Process
3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001f656-5.dat	upx
behavioral2/memory/4916-12-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1572-36-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/1572-39-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/1572-40-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/1572-41-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/1572-42-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/4916-47-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4916-57-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/4080-67-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/836-71-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/836-76-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/836-77-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/836-78-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/4644-93-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/4712-96-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/4712-97-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/836-100-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral2/memory/4712-104-0x0000000010000000-0x000000001034B000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe	cookie.exe
File created	C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe-up.txt	svghosts.exe
File created	C:\Program Files\AppPatch\NetSyst96.dll	cookie.exe
File opened for modification	C:\Program Files\AppPatch\NetSyst96.dll	cookie.exe
File created	C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe	cookie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4552	836	WerFault.exe	99

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4916	svchosts.exe
4916	svchosts.exe
4916	svchosts.exe
4916	svchosts.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	cookie.exe
Token: SeDebugPrivilege	4080	svghosts.exe
Token: SeDebugPrivilege	836	svghosts.exe
Token: SeDebugPrivilege	836	svghosts.exe
Token: SeDebugPrivilege	836	svghosts.exe
Token: SeDebugPrivilege	4644	svghosts.exe
Token: SeDebugPrivilege	4712	svghosts.exe
Token: SeDebugPrivilege	4712	svghosts.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe
3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe
4916	svchosts.exe
4916	svchosts.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 4916	3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe	89
PID 3764 wrote to memory of 4916	3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe	89
PID 3764 wrote to memory of 4916	3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe	89
PID 3764 wrote to memory of 1572	3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe	90
PID 3764 wrote to memory of 1572	3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe	90
PID 3764 wrote to memory of 1572	3764	0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe	90
PID 1572 wrote to memory of 4080	1572	cookie.exe	97
PID 1572 wrote to memory of 4080	1572	cookie.exe	97
PID 1572 wrote to memory of 4080	1572	cookie.exe	97
PID 836 wrote to memory of 4644	836	svghosts.exe	101
PID 836 wrote to memory of 4644	836	svghosts.exe	101
PID 836 wrote to memory of 4644	836	svghosts.exe	101
PID 836 wrote to memory of 4712	836	svghosts.exe	102
PID 836 wrote to memory of 4712	836	svghosts.exe	102
PID 836 wrote to memory of 4712	836	svghosts.exe	102

C:\Users\Admin\AppData\Local\Temp\0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe
"C:\Users\Admin\AppData\Local\Temp\0e8753d876d0bf36e852219c39d3ed2bc7004e224826a68a2a603ec0ba38c468.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764
- C:\ProgramData\svchosts.exe
  "C:\ProgramData\svchosts.exe" C:\ProgramData\svchosts.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\ProgramData\cookie.exe
  "C:\ProgramData\cookie.exe" C:\ProgramData\cookie.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe
    "C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4080

C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe
"C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe
  "C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe
  "C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 644
  2⤵
  - Program crash
  PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 836 -ip 836
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe

Filesize
1.2MB

MD5
0af608ff32531182678d2e8af84c504e

SHA1
0909c0df1e6c40651d2d14ae95b7e17319b6fb07

SHA256
1cd6a853a28aad4802544c78da47b63cf1f600f412066e3c5b5fce750c6f4bdf

SHA512
d152c92f192f10264280398daaee8bb07c6ce8245a537cf4fd6478c164942c175ce9dd4d9a913d48804211dd1fe757a9d796852c32b5313d4d324da26ce9bf51

Download Submit
C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe

Filesize
1.5MB

MD5
d064e038ae292d8a20d9aa061774206d

SHA1
ab6513a429f73cafccd775bf3e8eabd165c7f7e3

SHA256
f09a52e4c5043202c2d1fd7c5b334582f4c72974934b70e6562d89b4b7b816d3

SHA512
13c6ccb5ec8e91518528ca2cc5d9d8aad907e54ba517950602762784caf9550de5f2950f576c5f876786d3367a94cd7b0352b697da55d1a5f3cd19cf7a2d1168

Download Submit
C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe

Filesize
3.3MB

MD5
a2d88958b053f7cf76b1bf69fc2ee040

SHA1
351a2d4a7fd791a57e620ba4427839b482c1e8c0

SHA256
61f12ebd2612b70219742a4d393696ac06bc55085b5d4e9bea4cdcc0bbd872bd

SHA512
9d91caaa795d5830bee9dc60d6a7376a3d3f2acd6cad67f0cbdf28726b3c38c2ae32818cc08db4bd3620ebaa40ade92caab810e91eeaa04409a52aeb07e7aa93

Download Submit
C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe

Filesize
320KB

MD5
7caae6f7b5efdc8ff0607708acc0a29d

SHA1
a37210bf257071aac05d37b73873d9bb64c023f8

SHA256
a3027a201a9524e0114dca9742ef5aa5dbd29635418b75910da4a64e45897ad8

SHA512
ee27efe2abbd9347f92b875881a86a116729cf76c97fbcdddf7dee0aeb1a9d32b29fb3e9a34ee5e339820e835d6efbd906ed0c25c4b92d428e4c04ba14d2759c

Download Submit
C:\Program Files (x86)\Microsoft Bedjqx\svghosts.exe

Filesize
448KB

MD5
cb46d80e717b60adcad29395f632e469

SHA1
61839783120038e65c27d995b4cd3d13950af846

SHA256
00fffe8c2e7436f93210302a176bb3e4d8e7fc79d22e487ab61a1e48698c584a

SHA512
7ea49813cf2d113bd83deb0d7612e3cbbb874748520822cd73b0b66d0e897bbb707c74729e32a631a9c8b9df8ec2c841a22385990e7a84035897f161b73950a4

Download Submit
C:\Program Files\AppPatch\NetSyst96.dll

Filesize
239KB

MD5
8c19d83ff359a1b77cb06939c2e5f0cb

SHA1
a01a199e6f6f3e84cef5c7e6251a2b1291217885

SHA256
7baee22c9834bef64f0c1b7f5988d9717855942d87c82f019606d07589bc51a9

SHA512
b241c7b0f6372483faf4630e82d7f609e8450bac17cedaeb8fc7db8157ec5363e153f5cab5188eee6d8b27b366656877d4421122c8e26a0a739b6c5308bde381

Download Submit
C:\ProgramData\cookie.exe

Filesize
104KB

MD5
22b0c81e7efec920e409d16d3ee17018

SHA1
105335daa8759681827938c7e856d43da5b13009

SHA256
688b3e87ff5b9e4fde893bbc38c76b9603418e772ba6148718e0872fe7cd782d

SHA512
967481c993d4caab1547967845f46d75c40793bb89c0413758c8dab8fbc061ddb05aa72090f3ea90620e3e3cff6abc30a4c3f8354b6ccfdb5be4b9a11ec8f16b

Download Submit
C:\ProgramData\svchosts.exe

Filesize
306KB

MD5
0369470b851e9ce4efb3e7095ee15109

SHA1
fa0f90c06b3ac37a66aa0e48ddb9814783796a15

SHA256
5f9e3991b11bf9bcc30cf10936f159eda834351d3fa181b11feb15f8f78a0809

SHA512
0dfb70787da59c803a71830ec2d69fc483841d48a112752f0ba9b6d8f1328b0d5e651eac9bd5978979f8500cc1e5886defb740f75cf02237510fb1778d670526

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
1.8MB

MD5
cb68857d28caf90d20c3207a6454fb28

SHA1
7128e441f2c1decf275d41835821a6e298a536ee

SHA256
45a2d58ed60835b825fed9bf0ffe08f459f28bd959348ecc990699f869e1f019

SHA512
3a2a237e20c64c66ed41b1eb3313251e01f8cca0e2c98b58b2642e3b15157a1235a2f7c437f5eeac725b48dc0e9e54574978f610cfcc0b9531916e5f33ade84b

Download Submit
memory/836-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/836-78-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/836-71-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/836-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/836-77-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/836-76-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/836-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/836-100-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/1572-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-39-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/1572-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-36-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/1572-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-42-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/1572-41-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/1572-40-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/3764-0-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/4080-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4080-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4080-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4080-67-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/4080-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4644-93-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/4644-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4644-98-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4712-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4712-89-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4712-96-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/4712-97-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/4712-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4712-104-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/4916-57-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4916-47-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4916-12-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download