gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
433s
max time network
1159s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bj.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral4/memory/4108-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral4/memory/4108-17-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral4/memory/1648-25-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral4/files/0x001900000002ab76-14.dat	family_gh0strat
behavioral4/memory/1648-13-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral4/files/0x001a00000002ab78-29.dat	family_gh0strat
behavioral4/memory/1648-31-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral4/memory/4184-34-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral4/memory/3272-39-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral4/memory/1136-44-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/files/0x0009000000029d3e-4.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1648	ktqutyevif

Executes dropped EXE 1 IoCs

pid	Process
1648	ktqutyevif

Loads dropped DLL 7 IoCs

pid	Process
4108	bj.exe
4108	bj.exe
1648	ktqutyevif
1648	ktqutyevif
4184	svchost.exe
3272	svchost.exe
1136	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ahunvnjbdb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\apjheqlyqv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\axwaltnwdq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3740	4184	WerFault.exe	78
2028	3272	WerFault.exe	82
3668	1136	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktqutyevif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	ktqutyevif
1648	ktqutyevif

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeRestorePrivilege	1648	ktqutyevif
Token: SeBackupPrivilege	1648	ktqutyevif
Token: SeBackupPrivilege	1648	ktqutyevif
Token: SeRestorePrivilege	1648	ktqutyevif
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeRestorePrivilege	4184	svchost.exe
Token: SeSecurityPrivilege	4184	svchost.exe
Token: SeSecurityPrivilege	4184	svchost.exe
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeSecurityPrivilege	4184	svchost.exe
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeSecurityPrivilege	4184	svchost.exe
Token: SeBackupPrivilege	4184	svchost.exe
Token: SeRestorePrivilege	4184	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeRestorePrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeRestorePrivilege	3272	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeRestorePrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeRestorePrivilege	1136	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4108	bj.exe
1648	ktqutyevif

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1648	4108	bj.exe	77
PID 4108 wrote to memory of 1648	4108	bj.exe	77
PID 4108 wrote to memory of 1648	4108	bj.exe	77

C:\Users\Admin\AppData\Local\Temp\bj.exe
"C:\Users\Admin\AppData\Local\Temp\bj.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108
- \??\c:\users\admin\appdata\local\ktqutyevif
  "C:\Users\Admin\AppData\Local\Temp\bj.exe" a -sc:\users\admin\appdata\local\temp\bj.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1096
  2⤵
  - Program crash
  PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4184 -ip 4184
1⤵
PID:4744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 708
  2⤵
  - Program crash
  PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3272 -ip 3272
1⤵
PID:4248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 980
  2⤵
  - Program crash
  PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1136 -ip 1136
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DRM\%SESSIONNAME%\wnqvs.cc3

Filesize
22.0MB

MD5
40ec667ea3748cfe3d46de0789c2bb19

SHA1
f2f472dbfc03b357904b26485bf57e98c30063c5

SHA256
f36369422c807bfa6eb0b48f92cc2dfff414acb9be6c1acc70b048c63c4c1f49

SHA512
d763752a8a97369bcdcbe4f860c8916ca6f2b8c999e92055e025d3c061071166ff1c541d535b5bde5c69f41306f885f9e1c0e8101c2f278e1e1adaa6ed0ed24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiB779.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
c39b366a974fc29f0b4953e34ec776da

SHA1
b00881070a0316bb2fafb878cfab1caeaba33010

SHA256
852b22e67c90d89820cb7f6de38cb4be47eec6d065b3385ae1b80114a677783e

SHA512
e9473ab451a4f624be4939c97a9c9173e629e9adb2f132fbd0e8746c8e0414e945e25e688ebd6293adfc30072e5ec18ffc4340c7bbe0bfcae3e8b569905e0bf2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
b7048070ea552554e2ddfa5785f449ad

SHA1
9cc89845c286b20e3d4b11e854f1b056854e428a

SHA256
835a7ba3312670b25ca34c28038b499062c983fddb4f0c7cf14c42faad3bcd26

SHA512
8940f16f7f5c2b4f32fca3b2164f4a16510bd31eb78b68a3d868964d173e534c62d4dd023c2165e45bad8a488cea5c8c074d396eff12f945eb08c7b2ccc335d8

Download Submit
\??\c:\users\admin\appdata\local\ktqutyevif

Filesize
19.2MB

MD5
2e026bd0e0d686343274db104753850e

SHA1
951022e35f37755f4406483b30937eca73683430

SHA256
cff0c6bd02e50018606d67f01962fff054b8e02698a6484b816089b02dc3083f

SHA512
c7c942235d706777ec2f18d4e03a3f2147446c1e9ac3b48c6bb029fbce4c84bf066e3e3dfa9e6768e1253dab637e54723f24d22f6fbd19a0f947afcf9462c5c3

Download Submit
memory/1136-44-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1136-41-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/1648-13-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1648-23-0x0000000002160000-0x00000000021D4000-memory.dmp

Filesize
464KB

Download
memory/1648-24-0x0000000002160000-0x00000000021D4000-memory.dmp

Filesize
464KB

Download
memory/1648-30-0x0000000002160000-0x00000000021D4000-memory.dmp

Filesize
464KB

Download
memory/1648-25-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1648-31-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3272-36-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/3272-39-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4108-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4108-16-0x0000000002010000-0x0000000002084000-memory.dmp

Filesize
464KB

Download
memory/4108-17-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4108-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4108-6-0x0000000002010000-0x0000000002084000-memory.dmp

Filesize
464KB

Download
memory/4184-32-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/4184-34-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download