gh0strat | 438e44aae94e8376d2e36e23212920e936b7517bca24eaf66e9d7d014e21552c

Analysis

max time kernel
462s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bjyk.exe
Size

377KB
MD5

ca7c977b5b315dd62b0189f2619764db
SHA1

42ce52b22e5017990660148ba6c5ff0097c5af01
SHA256

c6d90ced12fb16ca9ae112787ce6d29379b06e0ba0a90595e337c07453a571fa
SHA512

b7be48e4c7ca12e0059a6b0064eaa8e8c1f4bbd7ed62c2a34671a5875ba25715b45b780d54e58f5429b2cade56244f6a820a46c0a45b0f7e9d4567213a499427
SSDEEP

6144:xsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90Q1vPjrVCTH3mwVaYo7/8FaA/:OtWUzJq8YPbncT3+vXPjc3xVaYo7UFyO

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral23/memory/4924-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral23/files/0x000c000000023c7c-12.dat	family_gh0strat
behavioral23/memory/4236-13-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral23/memory/4924-17-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral23/memory/4236-25-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral23/files/0x000300000001e727-28.dat	family_gh0strat
behavioral23/memory/4236-32-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral23/memory/2288-35-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral23/memory/2900-40-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral23/memory/2908-45-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral23/files/0x000c000000023c1e-2.dat	acprotect

Deletes itself 1 IoCs

pid	Process
4236	erpxyctmuh

Executes dropped EXE 1 IoCs

pid	Process
4236	erpxyctmuh

Loads dropped DLL 7 IoCs

pid	Process
4924	bjyk.exe
4924	bjyk.exe
4236	erpxyctmuh
4236	erpxyctmuh
2288	svchost.exe
2900	svchost.exe
2908	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pumqicykoi	svchost.exe
File created	C:\Windows\SysWOW64\pekervtpor	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pekervtpor	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pmxxaywmbm	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3208	2288	WerFault.exe	88
5068	2900	WerFault.exe	94
2056	2908	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erpxyctmuh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4236	erpxyctmuh
4236	erpxyctmuh

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4236	erpxyctmuh
Token: SeBackupPrivilege	4236	erpxyctmuh
Token: SeBackupPrivilege	4236	erpxyctmuh
Token: SeRestorePrivilege	4236	erpxyctmuh
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeRestorePrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeSecurityPrivilege	2900	svchost.exe
Token: SeSecurityPrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeSecurityPrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeSecurityPrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2900	svchost.exe
Token: SeRestorePrivilege	2900	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeRestorePrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeSecurityPrivilege	2908	svchost.exe
Token: SeBackupPrivilege	2908	svchost.exe
Token: SeRestorePrivilege	2908	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4924	bjyk.exe
4236	erpxyctmuh

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4236	4924	bjyk.exe	87
PID 4924 wrote to memory of 4236	4924	bjyk.exe	87
PID 4924 wrote to memory of 4236	4924	bjyk.exe	87

C:\Users\Admin\AppData\Local\Temp\bjyk.exe
"C:\Users\Admin\AppData\Local\Temp\bjyk.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924
- \??\c:\users\admin\appdata\local\erpxyctmuh
  "C:\Users\Admin\AppData\Local\Temp\bjyk.exe" a -sc:\users\admin\appdata\local\temp\bjyk.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 812
  2⤵
  - Program crash
  PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2288 -ip 2288
1⤵
PID:3300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 928
  2⤵
  - Program crash
  PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2900 -ip 2900
1⤵
PID:4788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 932
  2⤵
  - Program crash
  PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2908 -ip 2908
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nni8685.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\erpxyctmuh

Filesize
23.3MB

MD5
31d9df498c8030cfdad9d7cdc886e908

SHA1
b17abad617fe09a44b50f0c28cd6b1d8e9e71042

SHA256
a53c1f13ce41e3372ea8a58e976fd48a5b2628aed2366a03e0840662a3c3831c

SHA512
72b87cc1f5fc84de5d7295ef7be9d09f044b9cd36c346a55af4050992da81c6a7f139ae063c9b3b86cc9f5373d6dac785af82b595f9fa432772fc1d417c7273c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
198B

MD5
52d1f60dce852bef60d766f3ec250c60

SHA1
1d339a2e49e32c0f0f97a26fc31c31791983ee1a

SHA256
cc60389375de5efb4a01a719840a7254ceb03a045ced64e232a7abcf01925127

SHA512
427c40a419ed10b45cd1352da865fcee4dead8831f7b9d22bc764d5b6c47e90efddf39fc441c5a7c44642d4b7cad6ad5fa68b5fb5c0f6a86c4e3b83d7d84de30

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
298B

MD5
af108c6bef3d59625c230f80cb5377ed

SHA1
a5dd7020d1c082f9441fe20d2d6aaf47cb78345b

SHA256
bb967d82af948d1493fa72daf9bdc56a67c5f994b74e1e55fb05f6fd2fe88016

SHA512
48c2fe2a10acb4395caf29bc61a08a5e1d474d0d88219ee8d55910c3d537ebbe1b41534742afe71bc8a7977be4781b02ecf211677860379b08773bc891417398

Download Submit
\??\c:\programdata\drm\%sessionname%\ulrxi.cc3

Filesize
22.0MB

MD5
009821b412ea7ae60b78edd42b7f0de5

SHA1
de4c2faec33a0f922efe0ac3b5533e93330a9902

SHA256
d1917339d73d35e7b916029bee4d262cfdd3813927a88c96e0f72fe0ae67f5f8

SHA512
7631ef011ebbbe45ab8c153b5e6070714ab06b870a127984ec29a238437e5db66c4008590caa8e1c61d8b5aaae0e5690ae4d7ac57489df8e4c4133d6c8906c47

Download Submit
memory/2288-35-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2288-33-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/2900-37-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/2900-40-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2908-45-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2908-42-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4236-31-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/4236-32-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4236-13-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4236-25-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4236-24-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/4924-18-0x0000000000560000-0x00000000005D3000-memory.dmp

Filesize
460KB

Download
memory/4924-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4924-6-0x0000000000560000-0x00000000005D3000-memory.dmp

Filesize
460KB

Download
memory/4924-17-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4924-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download