gh0strat | 3f852c0f09007ea12f110306f3d4d27678032e9082242a8f3d291f4561286f11

Analysis

max time kernel
93s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setups.exe
Size

22.6MB
MD5

d6437b34d2f4ebc283dba35fa11fec25
SHA1

cf4ede6cff02f7d43362e1a7c87657fa6099842d
SHA256

1a849f51b091f22e8949ca92f5e99482bd3d9202c76fa27afd209f0e21b46bcc
SHA512

02524b129c33b1e2c378fc46d9f1bf98f5422c1b4bac6fae9bbce46cba9a762970dc93a643c41aaefcafe43734fdba3ba8e78227dd559b3c3f135085f31e4cff
SSDEEP

6144:lUrJnWqbUNZFXXp1pvpGFd7XDda328nnnnnnR:qlWqYvMFJUma

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b36-7.dat	family_gh0strat
behavioral2/memory/4092-11-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4020-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2300-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
4400	gdskuwsbxe

Executes dropped EXE 1 IoCs

pid	Process
4400	gdskuwsbxe

Loads dropped DLL 3 IoCs

pid	Process
4092	svchost.exe
4020	svchost.exe
2300	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eogpwbbshl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\exddhuvxhv	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\egrwpxyutq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\Date\I%SESSIONNAME%\svnwi.cc3	gdskuwsbxe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3016	4092	WerFault.exe	87
436	4020	WerFault.exe	96
4664	2300	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setups.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdskuwsbxe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4400	gdskuwsbxe
4400	gdskuwsbxe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4400	gdskuwsbxe
Token: SeBackupPrivilege	4400	gdskuwsbxe
Token: SeBackupPrivilege	4400	gdskuwsbxe
Token: SeRestorePrivilege	4400	gdskuwsbxe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeRestorePrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeSecurityPrivilege	4092	svchost.exe
Token: SeSecurityPrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeSecurityPrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeSecurityPrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4092	svchost.exe
Token: SeRestorePrivilege	4092	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeRestorePrivilege	4020	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeSecurityPrivilege	4020	svchost.exe
Token: SeSecurityPrivilege	4020	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeSecurityPrivilege	4020	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeSecurityPrivilege	4020	svchost.exe
Token: SeBackupPrivilege	4020	svchost.exe
Token: SeRestorePrivilege	4020	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeRestorePrivilege	2300	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeSecurityPrivilege	2300	svchost.exe
Token: SeSecurityPrivilege	2300	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeSecurityPrivilege	2300	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeSecurityPrivilege	2300	svchost.exe
Token: SeBackupPrivilege	2300	svchost.exe
Token: SeRestorePrivilege	2300	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 4400	64	setups.exe	83
PID 64 wrote to memory of 4400	64	setups.exe	83
PID 64 wrote to memory of 4400	64	setups.exe	83

C:\Users\Admin\AppData\Local\Temp\setups.exe
"C:\Users\Admin\AppData\Local\Temp\setups.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64
- \??\c:\users\admin\appdata\local\gdskuwsbxe
  "C:\Users\Admin\AppData\Local\Temp\setups.exe" a -sc:\users\admin\appdata\local\temp\setups.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 884
  2⤵
  - Program crash
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4092 -ip 4092
1⤵
PID:3560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 860
  2⤵
  - Program crash
  PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4020 -ip 4020
1⤵
PID:1144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 944
  2⤵
  - Program crash
  PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2300 -ip 2300
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gdskuwsbxe

Filesize
22.8MB

MD5
868b624c4d089da7de68a6d94e7a6056

SHA1
549e9bfa82e61a102f23c637dd98648e6be4e787

SHA256
f8edfbe970ed6cd29262ec26d4b5f04c4d21b89183acec87b3fa0607cfecb758

SHA512
f433986a1fa9ea0751958786a5e2f7c496045b67de74f79e5a9971694547dc721cb6431cfc9073d2a497149da1c795d1a9414a3c30624e593de19728e76a64c2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
252ac9dc4e5f9b47b7252802e4f92999

SHA1
45261f8bf80ad4daecde128df14811653c07f65d

SHA256
dc3fa1f935f90a3e117a1eca1d5d84e1a240a9f14f1b94fb159c690d65423eeb

SHA512
caccdcb3e29f468190ce6137d290df827cb5dec40c1ea9ff1a9f7ce8eccf08fe537f677dac2b48ee8a2fd6f310f73a7eb2023c947e20ef18a2a70b3ebf6936e2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
8a5c8cc02d4516a4965ced59b871e75c

SHA1
f1378d36dc532ba0793b03743c64427428a7747f

SHA256
d9ae756f59295049afdaa152ba6f3f022a11fdb14e89bd0384dcee4093eceb12

SHA512
8099d2f0f590e6f401f2af5f5b4180592a9d03ad52ea124d67c36f3d360141da83546949275c9d282fb55ef5e2468d1a387f7c5dfe04f0cc26f1e7f81109e009

Download Submit
\??\c:\program files (x86)\winrar\formats\date\i%sessionname%\svnwi.cc3

Filesize
23.1MB

MD5
5a00a1c116169c14dc031515e8f1d642

SHA1
276c69464fd646b973db25929aa5ba29af71897c

SHA256
0ef4d7f6a361418e517d9128b3410a01ecf8879aed4f3ad9778ec14fe44d2dc4

SHA512
7254f0bf5844b9c1b9ac637bc27999dd26ef83125ee12f457e9cfd612348e98c0f294bb1b009d546164ffaf49353d94b158a6c5e53ea711aad068598dc5a5966

Download Submit
memory/2300-18-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/2300-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4020-13-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/4020-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4092-9-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/4092-11-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download