gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
430s
max time network
1155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dhl.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral10/memory/3560-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral10/files/0x001900000002ac06-12.dat	family_gh0strat
behavioral10/memory/844-25-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral10/memory/3560-22-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral10/memory/844-15-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral10/files/0x001a00000002ac0a-28.dat	family_gh0strat
behavioral10/memory/844-31-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral10/memory/4036-34-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral10/memory/3592-39-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral10/memory/1924-44-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral10/files/0x0009000000029ccd-4.dat	acprotect

Deletes itself 1 IoCs

pid	Process
844	kmucwsrpnf

Executes dropped EXE 1 IoCs

pid	Process
844	kmucwsrpnf

Loads dropped DLL 7 IoCs

pid	Process
3560	dhl.exe
3560	dhl.exe
844	kmucwsrpnf
844	kmucwsrpnf
4036	svchost.exe
3592	svchost.exe
1924	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ciqwsivbnl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cqeqblyxbh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\cysjjobvnc	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3308	4036	WerFault.exe	78
1892	3592	WerFault.exe	82
672	1924	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmucwsrpnf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
844	kmucwsrpnf
844	kmucwsrpnf

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	844	kmucwsrpnf
Token: SeBackupPrivilege	844	kmucwsrpnf
Token: SeBackupPrivilege	844	kmucwsrpnf
Token: SeRestorePrivilege	844	kmucwsrpnf
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeRestorePrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeSecurityPrivilege	4036	svchost.exe
Token: SeBackupPrivilege	4036	svchost.exe
Token: SeRestorePrivilege	4036	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeRestorePrivilege	3592	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeSecurityPrivilege	3592	svchost.exe
Token: SeSecurityPrivilege	3592	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeSecurityPrivilege	3592	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeSecurityPrivilege	3592	svchost.exe
Token: SeBackupPrivilege	3592	svchost.exe
Token: SeRestorePrivilege	3592	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeRestorePrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeSecurityPrivilege	1924	svchost.exe
Token: SeBackupPrivilege	1924	svchost.exe
Token: SeRestorePrivilege	1924	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3560	dhl.exe
844	kmucwsrpnf

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 844	3560	dhl.exe	77
PID 3560 wrote to memory of 844	3560	dhl.exe	77
PID 3560 wrote to memory of 844	3560	dhl.exe	77

C:\Users\Admin\AppData\Local\Temp\dhl.exe
"C:\Users\Admin\AppData\Local\Temp\dhl.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560
- \??\c:\users\admin\appdata\local\kmucwsrpnf
  "C:\Users\Admin\AppData\Local\Temp\dhl.exe" a -sc:\users\admin\appdata\local\temp\dhl.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 896
  2⤵
  - Program crash
  PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4036 -ip 4036
1⤵
PID:3536

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 784
  2⤵
  - Program crash
  PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3592 -ip 3592
1⤵
PID:1780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1108
  2⤵
  - Program crash
  PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1924 -ip 1924
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zqiA6FE.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\kmucwsrpnf

Filesize
19.6MB

MD5
654661d5582d618322b34aff46730b68

SHA1
8f21e3972448ab2b35ac5de210b911524c3e65c2

SHA256
21cc5d31d33788bd77b55ae4e72395c64e59d4ec0f2631ff5972cf114e9c76f1

SHA512
53abe3f33c39e494ff048c3429ebda9f7b19e6167adddd8e811a578b624842edb89a8bdc49d12c84031a1a4a2bfc83c2894da4c4c07b27fc0e49a3f715d31c22

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
49cf2e0a63b92f851dafe17f54eb7245

SHA1
65551682c03a031d8d6eab4bf67aa7fe8fe73725

SHA256
a02f48f8dad5bc2d1d0a7cd317ee0cd6e421486d4d0cd7d6e60e6061f9dedc24

SHA512
efaa9d2e199e81c52da180e54ded59e2dd16969ed6bf9511575433c68da80895b461748e974e6d329d0a6c0ded479aac37ea03849803738832ad52691c412caf

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
301B

MD5
39412ef53796475fa17df1d46ac1bc0b

SHA1
1dc46930635660e4f7c57fc5ac3b4f53724d1d6e

SHA256
866255af95c6b1405f8dc1aebfdfc8dd625f015413d3e8a89b98b7fe464afadf

SHA512
7a5ac56726bbb05cdac605a02a61421ba46c1bc75cfb721f308c85779de965f5a534aaafce35438c294b1c62dc1d3e87b35486a0fdaa72730458d48d73acf016

Download Submit
\??\c:\programdata\drm\%sessionname%\pmhos.cc3

Filesize
23.0MB

MD5
21e59a86fbb9ce69b28ccfd9f4a7db4b

SHA1
ded5c6fe3e1281b19fb53809f55b90d1b1bed2c8

SHA256
824000f3e1c86a9385512bc5afe076ef1ddf16afa39e8a48eaabb741fbe0bc02

SHA512
9a9dbdf0ec6d335a09b8c91c8a7df915e8b2a93dcc581d0937fe72f40da03bf6cfa3acf031b635ff0ea57dddaa6746620379d9655bc849284670fb150e939390

Download Submit
memory/844-31-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/844-25-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/844-24-0x0000000000780000-0x00000000007F4000-memory.dmp

Filesize
464KB

Download
memory/844-15-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/844-30-0x0000000000780000-0x00000000007F4000-memory.dmp

Filesize
464KB

Download
memory/1924-44-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1924-41-0x0000000001AE0000-0x0000000001AE1000-memory.dmp

Filesize
4KB

Download
memory/3560-23-0x00000000007D0000-0x0000000000844000-memory.dmp

Filesize
464KB

Download
memory/3560-22-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3560-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3560-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3560-5-0x00000000007D0000-0x0000000000844000-memory.dmp

Filesize
464KB

Download
memory/3592-36-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3592-39-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4036-32-0x0000000001940000-0x0000000001941000-memory.dmp

Filesize
4KB

Download
memory/4036-34-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download