gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
439s
max time network
1160s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yk.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral31/memory/5628-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral31/files/0x001900000002abd6-13.dat	family_gh0strat
behavioral31/memory/5752-14-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral31/memory/5628-16-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral31/memory/5752-24-0x0000000000760000-0x00000000007D4000-memory.dmp	family_gh0strat
behavioral31/memory/5752-27-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral31/files/0x001a00000002abd8-30.dat	family_gh0strat
behavioral31/memory/5752-33-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral31/memory/6000-36-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral31/memory/1972-41-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral31/memory/6020-46-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral31/files/0x001a00000002ab83-2.dat	acprotect

Deletes itself 1 IoCs

pid	Process
5752	ostiusdoqs

Executes dropped EXE 1 IoCs

pid	Process
5752	ostiusdoqs

Loads dropped DLL 7 IoCs

pid	Process
5628	yk.exe
5628	yk.exe
5752	ostiusdoqs
5752	ostiusdoqs
6000	svchost.exe
1972	svchost.exe
6020	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\fsvynmtudl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\fbkrvpvspg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\fkhgfjqwpp	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4616	6000	WerFault.exe	79
2128	1972	WerFault.exe	83
4872	6020	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ostiusdoqs

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5752	ostiusdoqs
5752	ostiusdoqs

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	5752	ostiusdoqs
Token: SeBackupPrivilege	5752	ostiusdoqs
Token: SeBackupPrivilege	5752	ostiusdoqs
Token: SeRestorePrivilege	5752	ostiusdoqs
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeRestorePrivilege	6000	svchost.exe
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeSecurityPrivilege	6000	svchost.exe
Token: SeSecurityPrivilege	6000	svchost.exe
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeSecurityPrivilege	6000	svchost.exe
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeSecurityPrivilege	6000	svchost.exe
Token: SeBackupPrivilege	6000	svchost.exe
Token: SeRestorePrivilege	6000	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeRestorePrivilege	1972	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeSecurityPrivilege	1972	svchost.exe
Token: SeSecurityPrivilege	1972	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeSecurityPrivilege	1972	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeSecurityPrivilege	1972	svchost.exe
Token: SeBackupPrivilege	1972	svchost.exe
Token: SeRestorePrivilege	1972	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeRestorePrivilege	6020	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeSecurityPrivilege	6020	svchost.exe
Token: SeSecurityPrivilege	6020	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeSecurityPrivilege	6020	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeSecurityPrivilege	6020	svchost.exe
Token: SeBackupPrivilege	6020	svchost.exe
Token: SeRestorePrivilege	6020	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5628	yk.exe
5752	ostiusdoqs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5628 wrote to memory of 5752	5628	yk.exe	78
PID 5628 wrote to memory of 5752	5628	yk.exe	78
PID 5628 wrote to memory of 5752	5628	yk.exe	78

C:\Users\Admin\AppData\Local\Temp\yk.exe
"C:\Users\Admin\AppData\Local\Temp\yk.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5628
- \??\c:\users\admin\appdata\local\ostiusdoqs
  "C:\Users\Admin\AppData\Local\Temp\yk.exe" a -sc:\users\admin\appdata\local\temp\yk.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 1104
  2⤵
  - Program crash
  PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6000 -ip 6000
1⤵
PID:3860

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 884
  2⤵
  - Program crash
  PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1972 -ip 1972
1⤵
PID:1708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 860
  2⤵
  - Program crash
  PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6020 -ip 6020
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\api9700.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\ostiusdoqs

Filesize
22.4MB

MD5
503f589f44c4feeaf8b59587dac73711

SHA1
583012bfe244f5582e625ba3fb85c7043992c03c

SHA256
1a1efbf1f49754a2350a797e81ba51c1579445eac5771fcde40c82281431f55d

SHA512
6ba16a5ef96d612668854869395cf1095a218e4bb59edf28e1c98a2c003ab182fa4293059a1b471388a297d70e28f8210c2396da6e752df12804be98eeed6f9c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
b391319a7d810fa7dd9a7afce7903ad0

SHA1
c043d5aed45796cee675490374849edff90c6632

SHA256
86958c9009f43ed573027fd2d50b465459c0081a399ee7a712b835221af1079c

SHA512
f1773a14d96418d0ae8772b38329e0063d5339714ee9b46beab969b310b491c91a6bcb4f701bfda27b85177e64c6361912bcd7ee361b1f7a35e3319d38691c4d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
a1d72c8f960d827f6e654d1b769de787

SHA1
6f7b4ac429f1a1f5713349e110ccf9ccad350839

SHA256
fb2cdedaa01e73a7e8e2584923380695333fe973994cd0bc0d86a6d979dc0dd2

SHA512
037e0070832d3684b7ebd53b64ba6ccfac6fa1ae8fb4af63e6cce217bf045e420f41904ffd831466258903b538543a7f1c34d2d91fbc0d7779e4a2f16fa63a88

Download Submit
\??\c:\programdata\drm\%sessionname%\cmwkx.cc3

Filesize
22.1MB

MD5
dc7b954c0eb460183e4daac5fa8d3980

SHA1
9b99f89bfe3c3ff78ed872b80f2abb2970f889df

SHA256
99bfab4b4d78d6f7da17662d533cb3cf11e6973ed4fe976bcbd02238558b206e

SHA512
05bd723bcd2ee5ec9249c5647a103bdd9fb4860d57933003d2d7e815b7b0046a982cc5090bc7439309b60a762bda9a89bbd60ba2b01b7aa13ab79ea5c5b5f174

Download Submit
memory/1972-41-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1972-38-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/5628-8-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/5628-18-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/5628-16-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5628-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5628-9-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/5628-7-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/5752-26-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/5752-32-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/5752-33-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5752-27-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5752-24-0x0000000000760000-0x00000000007D4000-memory.dmp

Filesize
464KB

Download
memory/5752-14-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/6000-34-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/6000-36-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/6020-43-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/6020-46-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download