gh0strat | a2dc871f4bf02e16f9c7a4c83ebbc31685bf5e07cad527e6a136cf6644cabd94

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c062b4035e18c234c235dc9c9e89d830.exe
Size

95KB
MD5

c062b4035e18c234c235dc9c9e89d830
SHA1

efa1ab7ebe879a326b15a2f0977b13280eb5fa76
SHA256

a2dc871f4bf02e16f9c7a4c83ebbc31685bf5e07cad527e6a136cf6644cabd94
SHA512

256bc4a9e7f878310a9aec331047ef14410ad1d54f1e816d38b931587543df7e7859e8e1f48e430fbafb45c645b61d5745ecfdc8f13e33fbdbca8cb946db4a29
SSDEEP

1536:CYFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prPUSry9KLu:CKS4jHS8q/3nTzePCwNUh4E9PUSu9KLu

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ed-15.dat	family_gh0strat
behavioral2/memory/4500-16-0x0000000000400000-0x000000000044E404-memory.dmp	family_gh0strat
behavioral2/files/0x00070000000231ed-23.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4500	btgtbtkcee

Executes dropped EXE 1 IoCs

pid	Process
4500	btgtbtkcee

Loads dropped DLL 3 IoCs

pid	Process
1680	svchost.exe
1128	svchost.exe
4672	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sbmuherute	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\sjanphusha	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\sjanphusha	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3052	1680	WerFault.exe	96
1584	1128	WerFault.exe	101
4248	4672	WerFault.exe	104

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4500	btgtbtkcee
4500	btgtbtkcee

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4500	btgtbtkcee
Token: SeBackupPrivilege	4500	btgtbtkcee
Token: SeBackupPrivilege	4500	btgtbtkcee
Token: SeRestorePrivilege	4500	btgtbtkcee
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeRestorePrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeSecurityPrivilege	1680	svchost.exe
Token: SeSecurityPrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeSecurityPrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeSecurityPrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1680	svchost.exe
Token: SeRestorePrivilege	1680	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeRestorePrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeSecurityPrivilege	1128	svchost.exe
Token: SeSecurityPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeSecurityPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeSecurityPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeRestorePrivilege	1128	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeRestorePrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeSecurityPrivilege	4672	svchost.exe
Token: SeBackupPrivilege	4672	svchost.exe
Token: SeRestorePrivilege	4672	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4500	2816	c062b4035e18c234c235dc9c9e89d830.exe	92
PID 2816 wrote to memory of 4500	2816	c062b4035e18c234c235dc9c9e89d830.exe	92
PID 2816 wrote to memory of 4500	2816	c062b4035e18c234c235dc9c9e89d830.exe	92

C:\Users\Admin\AppData\Local\Temp\c062b4035e18c234c235dc9c9e89d830.exe
"C:\Users\Admin\AppData\Local\Temp\c062b4035e18c234c235dc9c9e89d830.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- \??\c:\users\admin\appdata\local\btgtbtkcee
  "C:\Users\Admin\AppData\Local\Temp\c062b4035e18c234c235dc9c9e89d830.exe" a -sc:\users\admin\appdata\local\temp\c062b4035e18c234c235dc9c9e89d830.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 776
  2⤵
  - Program crash
  PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1680 -ip 1680
1⤵
PID:4052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1120
  2⤵
  - Program crash
  PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1128 -ip 1128
1⤵
PID:388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 888
  2⤵
  - Program crash
  PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4672 -ip 4672
1⤵
PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\weepw.cc3

Filesize
19.1MB

MD5
3d90f617a949d6972fbeb0a4476aed09

SHA1
dd6731866dbe098f73925f153be7c5f0f709c75d

SHA256
041339a7d9468549cb6f95f3998953959062bfc9a7b4c07e8f61f2805b7697c0

SHA512
0b5ac25f100dcc8b2e26d2f044a0e776f457d52cc54fa061e54b8fddbe53cb52429cf71d6bbd9eae7350c65771c86d430d39ceb9406effdb31ca1441c45c1eeb

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\weepw.cc3

Filesize
2.2MB

MD5
bfed8c655b0f819d4c9823dee3814689

SHA1
2955338c30a3fc766ca21da3291ec3a47a05ffc9

SHA256
f8155eaa5e3954e8c34f18e80e455f81bb812c939200dd4f6eb44ba30f9bb7b6

SHA512
e43fd03952f09bd7513b51d0148a6582886d2ee7fb2f92210ecb78d2e8ce6b0d2ce2cb5d8a2377c253bb845f1a3588854e57062064277287484110098fa3865f

Download Submit
C:\Users\Admin\AppData\Local\btgtbtkcee

Filesize
22.0MB

MD5
84967328e1b6c4c90e481f78e7addb5a

SHA1
0a8d756a148ee74938db34ae5d386c1614d18f0d

SHA256
f7b0a9c6ee5353e59b0a27890f25e9f49902c26003a86cef289e6eaa27a92242

SHA512
21676b185b0803531270f59a07d9d0d26e3da883a0cf0b74ddb42ce9c442c2972848dabdb16f86b613be77e7d5db4d220b854274d3509e4069bbc35697489119

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
968b04ddd6f8bc172d5d56d10202143a

SHA1
489a702e5af99cd9d6983cf3ab9d23494e766d1f

SHA256
61c2ba19edd1ff5c2805d57dc1a07eab8b8b1ef8fb970620655105311f48e2f3

SHA512
8ec7313052f8c2837d45919f6930f8625598c3ae9a0f5bae448ff7fe1b72c8b7f704e80703a2df75433f885ac98bcfb0a669cfc44910c05160da9f37b6b17003

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
d680664a68abd7a19a08e8047f4da405

SHA1
4a68626d20d7011c228210e1401cf20ad51a4e3f

SHA256
fb0c0e15915aa70d26c822fb372665c07833c23d65295b07dac4c33adb4f3f28

SHA512
b5e4f856a8000242036dae39500ba583ca1345c0ae1300fb68600b9c87c2a44bb27c660f3124000cd433e842c9e61da86a201376858b3365021a79c37619ae65

Download Submit
memory/1128-20-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/1680-17-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/2816-7-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/2816-0-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/2816-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4500-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4500-10-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/4500-16-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/4672-24-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download