gh0strat | 438e44aae94e8376d2e36e23212920e936b7517bca24eaf66e9d7d014e21552c

Analysis

max time kernel
423s
max time network
425s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yk.exe
Size

377KB
MD5

74a4b2735839c883bd1bd753d7626595
SHA1

011d7a1d087fea34d6af4c1b661db525cd8cb858
SHA256

b00dc6e609c148ce7ee7a46ee1ca1a27f75468df22604a8a4ba5bd3b30be10bd
SHA512

a9ce015efc94636ff959348fdf18a45bd3cbefd8ac85b26f14d63bc1688d381bd1c9f9e947ac61cb8e8a2aa18a78f3d6e5f7a530802a81276cb6cd859a881ae5
SSDEEP

6144:ysItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oXGxJOl9RtSxmGXNVeWxpHfaDXBi:ftWUzJq8YPbncT3+YqtumGKkajB/0qE

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral32/memory/3276-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral32/files/0x000500000001dc0c-12.dat	family_gh0strat
behavioral32/memory/1740-26-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral32/memory/3276-16-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral32/memory/1740-13-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral32/files/0x000300000001e730-29.dat	family_gh0strat
behavioral32/memory/1740-32-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral32/memory/1176-35-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral32/memory/4768-40-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral32/memory/4264-45-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral32/files/0x000c000000023b73-4.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1740	mknbqsqymd

Executes dropped EXE 1 IoCs

pid	Process
1740	mknbqsqymd

Loads dropped DLL 7 IoCs

pid	Process
3276	yk.exe
3276	yk.exe
1740	mknbqsqymd
1740	mknbqsqymd
1176	svchost.exe
4768	svchost.exe
4264	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\plfiwrlycj	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pttbfunwpf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pchtnxqtca	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1456	1176	WerFault.exe	93
1784	4768	WerFault.exe	98
872	4264	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mknbqsqymd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	mknbqsqymd
1740	mknbqsqymd

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1740	mknbqsqymd
Token: SeBackupPrivilege	1740	mknbqsqymd
Token: SeBackupPrivilege	1740	mknbqsqymd
Token: SeRestorePrivilege	1740	mknbqsqymd
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeRestorePrivilege	1176	svchost.exe
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeSecurityPrivilege	1176	svchost.exe
Token: SeSecurityPrivilege	1176	svchost.exe
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeSecurityPrivilege	1176	svchost.exe
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeSecurityPrivilege	1176	svchost.exe
Token: SeBackupPrivilege	1176	svchost.exe
Token: SeRestorePrivilege	1176	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeRestorePrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeSecurityPrivilege	4768	svchost.exe
Token: SeSecurityPrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeSecurityPrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeSecurityPrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4768	svchost.exe
Token: SeRestorePrivilege	4768	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeRestorePrivilege	4264	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeSecurityPrivilege	4264	svchost.exe
Token: SeSecurityPrivilege	4264	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeSecurityPrivilege	4264	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeSecurityPrivilege	4264	svchost.exe
Token: SeBackupPrivilege	4264	svchost.exe
Token: SeRestorePrivilege	4264	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3276	yk.exe
1740	mknbqsqymd

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 1740	3276	yk.exe	88
PID 3276 wrote to memory of 1740	3276	yk.exe	88
PID 3276 wrote to memory of 1740	3276	yk.exe	88

C:\Users\Admin\AppData\Local\Temp\yk.exe
"C:\Users\Admin\AppData\Local\Temp\yk.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276
- \??\c:\users\admin\appdata\local\mknbqsqymd
  "C:\Users\Admin\AppData\Local\Temp\yk.exe" a -sc:\users\admin\appdata\local\temp\yk.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1080
  2⤵
  - Program crash
  PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1176 -ip 1176
1⤵
PID:4564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1084
  2⤵
  - Program crash
  PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4768 -ip 4768
1⤵
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1004
  2⤵
  - Program crash
  PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4264 -ip 4264
1⤵
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqiA901.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\mknbqsqymd

Filesize
24.1MB

MD5
c559c8874429c16a546bd4e6d3efdac7

SHA1
fe83f2b2e7132a6d56fbd66af54e761538c9b48e

SHA256
e6532d18c6aadf7a6da606c5367290ab63c5467c97ff115a61eacf461c66adb4

SHA512
4739247586b5907c4c9fa8446fbf613bd2d4da83e906ab03a3e0c72f87ec8ca54ab968aaa83cdf2d3940adfddc093857f339e1da705a0de8d426fe8dac375da7

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
b2efe47056b4bbf41fcebe45b0827226

SHA1
ef1a076b282d5c2643ed596f42aac2a24157fad7

SHA256
86cdb9efd88b49315283dc2d908e7d6b064bdb0708cc98d34dd86670231b7db4

SHA512
2f20bc9585ace4be3b16e8828f7fc7b5a814516125efb296a0125edcd8743247119594c5465ae9177177e8f3ff803c6c142884dd67f597999a6caa38a9198f98

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
c763f96f4f79123dcd6a599c3226aa2f

SHA1
1c148afde4009dc8065d7236ea7e388606acd0a9

SHA256
1944dc2069fc584771c9268fa0bbbc80fd0a43de627a11055e6ffc77e97118d9

SHA512
3358dd2f087f81b02dbd004d53147a502f8a158b045b6416ba42ed9317f65d46b19b8facdd235c260f2b8c1fbd92f9336a7b45a4bbee50a3d52473fd091ca67e

Download Submit
\??\c:\programdata\drm\%sessionname%\ocfrw.cc3

Filesize
21.1MB

MD5
1f0bba87c8957b4734bda6c4ce80a5eb

SHA1
3186cdf5ce2cd984824da3a11b9851d0aa818806

SHA256
a4d6ec920b4b780e11a5731e17ef94210540621799697c9ef470bff8674e5fc6

SHA512
76e4782528c3d463a082ffe84ea324e54ae04289a889ed31cdeeda4dd356883fd2777ddaf85ab25d3ccc614a43977b2e1ca6c6682b0d2114f6801edb64425717

Download Submit
memory/1176-35-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1176-33-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download
memory/1740-26-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1740-25-0x0000000000550000-0x00000000005C3000-memory.dmp

Filesize
460KB

Download
memory/1740-31-0x0000000000550000-0x00000000005C3000-memory.dmp

Filesize
460KB

Download
memory/1740-13-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1740-24-0x0000000000550000-0x00000000005C3000-memory.dmp

Filesize
460KB

Download
memory/1740-32-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3276-16-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3276-17-0x0000000001F60000-0x0000000001FD3000-memory.dmp

Filesize
460KB

Download
memory/3276-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/3276-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3276-5-0x0000000001F60000-0x0000000001FD3000-memory.dmp

Filesize
460KB

Download
memory/4264-42-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4264-45-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4768-37-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4768-40-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download