gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
432s
max time network
1155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

server.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral21/memory/3388-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral21/files/0x001a00000002aabb-12.dat	family_gh0strat
behavioral21/memory/3476-15-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral21/memory/3476-25-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral21/memory/3388-17-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral21/files/0x001a00000002ab04-28.dat	family_gh0strat
behavioral21/memory/3476-31-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral21/memory/1252-34-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral21/memory/1884-39-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral21/memory/1828-44-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral21/files/0x001d00000002aa52-2.dat	acprotect

Deletes itself 1 IoCs

pid	Process
3476	frddnqidbl

Executes dropped EXE 1 IoCs

pid	Process
3476	frddnqidbl

Loads dropped DLL 7 IoCs

pid	Process
3388	server.exe
3388	server.exe
3476	frddnqidbl
3476	frddnqidbl
1252	svchost.exe
1884	svchost.exe
1828	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\djjgtulhew	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dswacxofrr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dbunmrjjrb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3928	1252	WerFault.exe	78
3472	1884	WerFault.exe	82
3348	1828	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frddnqidbl
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3476	frddnqidbl
3476	frddnqidbl

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3476	frddnqidbl
Token: SeBackupPrivilege	3476	frddnqidbl
Token: SeBackupPrivilege	3476	frddnqidbl
Token: SeRestorePrivilege	3476	frddnqidbl
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeRestorePrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeSecurityPrivilege	1252	svchost.exe
Token: SeSecurityPrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeSecurityPrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeSecurityPrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1252	svchost.exe
Token: SeRestorePrivilege	1252	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeRestorePrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeSecurityPrivilege	1884	svchost.exe
Token: SeSecurityPrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeSecurityPrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeSecurityPrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1884	svchost.exe
Token: SeRestorePrivilege	1884	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeRestorePrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeSecurityPrivilege	1828	svchost.exe
Token: SeSecurityPrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeSecurityPrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeSecurityPrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeRestorePrivilege	1828	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3388	server.exe
3476	frddnqidbl

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3476	3388	server.exe	77
PID 3388 wrote to memory of 3476	3388	server.exe	77
PID 3388 wrote to memory of 3476	3388	server.exe	77

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388
- \??\c:\users\admin\appdata\local\frddnqidbl
  "C:\Users\Admin\AppData\Local\Temp\server.exe" a -sc:\users\admin\appdata\local\temp\server.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1100
  2⤵
  - Program crash
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1252 -ip 1252
1⤵
PID:2308

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1108
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1884 -ip 1884
1⤵
PID:5000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1112
  2⤵
  - Program crash
  PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1828 -ip 1828
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\doi8F20.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\frddnqidbl

Filesize
22.1MB

MD5
2062a529abc59129add396f1ebb0989a

SHA1
791da57ab89a38239dfe8e0541daecdd86fe8cd6

SHA256
a49cceb58bcb389c7d0cc8f82f6786da626d4b643eb55fae5179462ea124718d

SHA512
6846e2cd4ab52f3a0f1ce35d29c8c484878a1c753f85d7202023179232d3aa55c6f0b7f6c619e46afa3b1844e3ccfa4b0d4753ef20f6d7ee5c5704929cb607f7

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
89210fb1a54248dbf727b8daddee654f

SHA1
aa48bb74ead4d55b4cb71e7f09ff4af818de612c

SHA256
9578cffa98a69caef47fd6a9ac856d9b3e16892a322ecc18b030cc45d6f8b2ff

SHA512
dcfb5c3cc91fac21d02ea41e822041a0abfb3c8697ccaed5dadc14cbbe69b652444fdbc5abe248c28cd6d3c1d811d22ea8823989cafa5fc467ca6b705d0c708d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
72c121ad4fc5d889ee205b1d0634fd05

SHA1
9b35ea724f257d9e3d90ccdd53445a9247b574c8

SHA256
7a0f63f60f741c1463e4bbd0d69f9234b3931e569225720f6c70d45d4c33d741

SHA512
c5162329dcdd0304e4662651fb2ad176c379b5d2446e9aed3fa22a42af62fb40e1120c73e06bd74f05ec9af05ab3e5868e05787e11eeafe667a9b44db81dbab7

Download Submit
\??\c:\programdata\drm\%sessionname%\yidwd.cc3

Filesize
24.1MB

MD5
c3f06f5383899953a4b2e9818893ba1c

SHA1
0511329a38cd458d955aeaa5cf4c5371f56f8e3d

SHA256
f14893eb1ee1fcec69a3b5e3af7eb83dbf8f576140cb06ec7e6adf14fa9ba62e

SHA512
40ab9313029953fc5ba9fb1051f97ad55224a31413b5437f70b90b3122147df11ebffefbaabb0997a2c325f2f48efaf04e2b613dad3d6489679b6ede89a216b2

Download Submit
memory/1252-34-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1252-32-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1828-44-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1828-41-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/1884-36-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1884-39-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3388-17-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3388-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3388-18-0x0000000002080000-0x00000000020F4000-memory.dmp

Filesize
464KB

Download
memory/3388-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3388-5-0x0000000002080000-0x00000000020F4000-memory.dmp

Filesize
464KB

Download
memory/3476-30-0x0000000002150000-0x00000000021C4000-memory.dmp

Filesize
464KB

Download
memory/3476-31-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3476-25-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3476-24-0x0000000002150000-0x00000000021C4000-memory.dmp

Filesize
464KB

Download
memory/3476-15-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download