gh0strat | 46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a

General

Target

46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe
Size

252KB
MD5

7c77f7a1ebddd9579a7567dedb131a95
SHA1

76aedce6c1483506c33f1cb00cbe72a4f9387427
SHA256

46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a
SHA512

3187ca40dd4c3fb9aead5b5eef1682a1128c957a41df1d5d0947b1f666c04737aacbdbb5c7deb9a2fb276a77437b456695f55e8429362fd68de5660e9da82e73

Score

10^/10

gh0strat evasion rat trojan

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4628-130-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat
behavioral2/memory/4504-136-0x0000000010000000-0x0000000010032000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

Eoksc.pifEoksc.pifEoksc.pif

pid process

4504 Eoksc.pif
3464 Eoksc.pif
3032 Eoksc.pif

pid	process
4504	Eoksc.pif
3464	Eoksc.pif
3032	Eoksc.pif

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exeEoksc.pifEoksc.pifEoksc.pif

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Eoksc.pif

Drops file in System32 directory 4 IoCs

Processes:

Eoksc.pif

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Eoksc.pif
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Eoksc.pif
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Eoksc.pif
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Eoksc.pif

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3500 4504 WerFault.exe Eoksc.pif
4316 3464 WerFault.exe Eoksc.pif

pid	pid_target	process	target process
3500	4504	WerFault.exe	Eoksc.pif
4316	3464	WerFault.exe	Eoksc.pif

Modifies data under HKEY_USERS 8 IoCs

Processes:

Eoksc.pif

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Eoksc.pif
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Eoksc.pif
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Eoksc.pif
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Eoksc.pif
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Eoksc.pif
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Eoksc.pif
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Eoksc.pif
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Eoksc.pif

Suspicious behavior: RenamesItself 1 IoCs

Processes:

46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe

pid process

4628 46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe

pid	process
4628	46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Eoksc.pif

description	pid	process	target process
PID 4504 wrote to memory of 3464	4504	Eoksc.pif	Eoksc.pif
PID 4504 wrote to memory of 3464	4504	Eoksc.pif	Eoksc.pif
PID 4504 wrote to memory of 3464	4504	Eoksc.pif	Eoksc.pif
PID 4504 wrote to memory of 3032	4504	Eoksc.pif	Eoksc.pif
PID 4504 wrote to memory of 3032	4504	Eoksc.pif	Eoksc.pif
PID 4504 wrote to memory of 3032	4504	Eoksc.pif	Eoksc.pif

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

Eoksc.pifEoksc.pifEoksc.pif46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Eoksc.pif
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe

C:\Users\Admin\AppData\Local\Temp\46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe
"C:\Users\Admin\AppData\Local\Temp\46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: RenamesItself
- System policy modification
PID:4628

C:\ProgramData\Application Data\Microsoft.NET\Eoksc.pif
"C:\ProgramData\Application Data\Microsoft.NET\Eoksc.pif"
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4504
- C:\ProgramData\Application Data\Microsoft.NET\Eoksc.pif
  "C:\ProgramData\Application Data\Microsoft.NET\Eoksc.pif" Win7
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - System policy modification
  PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1412
    3⤵
    - Program crash
    PID:4316
- C:\ProgramData\Application Data\Microsoft.NET\Eoksc.pif
  "C:\ProgramData\Application Data\Microsoft.NET\Eoksc.pif" Win7
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System policy modification
  PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 652
  2⤵
  - Program crash
  PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4504 -ip 4504
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3464 -ip 3464
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\Microsoft.NET\Eoksc.pif

Filesize
252KB

MD5
7c77f7a1ebddd9579a7567dedb131a95

SHA1
76aedce6c1483506c33f1cb00cbe72a4f9387427

SHA256
46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a

SHA512
3187ca40dd4c3fb9aead5b5eef1682a1128c957a41df1d5d0947b1f666c04737aacbdbb5c7deb9a2fb276a77437b456695f55e8429362fd68de5660e9da82e73

Download Submit
C:\ProgramData\Microsoft.NET\Eoksc.pif

Filesize
252KB

MD5
7c77f7a1ebddd9579a7567dedb131a95

SHA1
76aedce6c1483506c33f1cb00cbe72a4f9387427

SHA256
46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a

SHA512
3187ca40dd4c3fb9aead5b5eef1682a1128c957a41df1d5d0947b1f666c04737aacbdbb5c7deb9a2fb276a77437b456695f55e8429362fd68de5660e9da82e73

Download Submit
C:\ProgramData\Microsoft.NET\Eoksc.pif

Filesize
252KB

MD5
7c77f7a1ebddd9579a7567dedb131a95

SHA1
76aedce6c1483506c33f1cb00cbe72a4f9387427

SHA256
46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a

SHA512
3187ca40dd4c3fb9aead5b5eef1682a1128c957a41df1d5d0947b1f666c04737aacbdbb5c7deb9a2fb276a77437b456695f55e8429362fd68de5660e9da82e73

Download Submit
C:\ProgramData\Microsoft.NET\Eoksc.pif

Filesize
252KB

MD5
7c77f7a1ebddd9579a7567dedb131a95

SHA1
76aedce6c1483506c33f1cb00cbe72a4f9387427

SHA256
46228923291ceab1c75887af7394832bbb68bdd840b3d10c7bda8f2f5e85b25a

SHA512
3187ca40dd4c3fb9aead5b5eef1682a1128c957a41df1d5d0947b1f666c04737aacbdbb5c7deb9a2fb276a77437b456695f55e8429362fd68de5660e9da82e73

Download Submit
memory/3032-142-0x0000000000000000-mapping.dmp

Download
memory/3464-140-0x0000000000000000-mapping.dmp

Download
memory/4504-136-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/4628-130-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads