gh0strat | 46bed426035dbd31cb6736dd3f573944d0c47e3d474b02fef43b537bf2ec2e3e

General

Target

tmp.exe
Size

156KB
MD5

0f9e62354cf5353a7adcbe67cd3bcd93
SHA1

8416803e9819e46032a036b5d35d1ca628cf2b76
SHA256

46bed426035dbd31cb6736dd3f573944d0c47e3d474b02fef43b537bf2ec2e3e
SHA512

7b4d05d867f6e1b3b8356fe295f536aece5b92d38051d10b9054b4b626928fbc4b94c948f894c182214911be2564d838c56a0ab62ecf642f1bed1447d24120ad

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240548359.jpg	family_gh0strat
\??\c:\windows\SysWOW64\240548359.jpg	family_gh0strat
C:\Windows\SysWOW64\240548359.jpg	family_gh0strat
C:\Windows\SysWOW64\240548359.jpg	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

windowsÏµÍ³Ö÷¶¯·ÀÓù.exe

pid process

1232 windowsÏµÍ³Ö÷¶¯·ÀÓù.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 3 IoCs

Processes:

tmp.exesvchost.exewindowsÏµÍ³Ö÷¶¯·ÀÓù.exe

pid process

2584 tmp.exe
904 svchost.exe
1232 windowsÏµÍ³Ö÷¶¯·ÀÓù.exe

pid	process
1232	windowsÏµÍ³Ö÷¶¯·ÀÓù.exe

pid	process
2584	tmp.exe
904	svchost.exe
1232	windowsÏµÍ³Ö÷¶¯·ÀÓù.exe

Drops file in System32 directory 4 IoCs

Processes:

tmp.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240548359.jpg	tmp.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	tmp.exe
File created	C:\Windows\SysWOW64\windowsÏµÍ³Ö÷¶¯·ÀÓù.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\windowsÏµÍ³Ö÷¶¯·ÀÓù.exe	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

tmp.exe

pid process

2584 tmp.exe

pid	process
2584	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 904 wrote to memory of 1232	904	svchost.exe	windowsÏµÍ³Ö÷¶¯·ÀÓù.exe
PID 904 wrote to memory of 1232	904	svchost.exe	windowsÏµÍ³Ö÷¶¯·ÀÓù.exe
PID 904 wrote to memory of 1232	904	svchost.exe	windowsÏµÍ³Ö÷¶¯·ÀÓù.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
PID:2584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "windowsÏµÍ³Ö÷¶¯·ÀÓù"
1⤵
PID:4156

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "windowsÏµÍ³Ö÷¶¯·ÀÓù"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\windowsÏµÍ³Ö÷¶¯·ÀÓù.exe
C:\Windows\system32\windowsÏµÍ³Ö÷¶¯·ÀÓù.exe "c:\windows\system32\240548359.jpg",MainInstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\240548359.jpg
Filesize
56KB

MD5
c6f4236d5f7929a26adec9ba633c507b

SHA1
293667b7ef95c9fa29df0e822c074804fdd9c56a

SHA256
c93c2117ff7edbd247979093f826759455c9cd536087daa568a3b6ba570b0aba

SHA512
cd8178575393f6b9ff0889c198ea543cb4928e34174681fef7ac67f57912cbd2d398fca73861d9c36e9bb58010c2a8af789ca7872d96f6b7c9c10f498d8dc70a

Download Submit
C:\Windows\SysWOW64\240548359.jpg
Filesize
56KB

MD5
c6f4236d5f7929a26adec9ba633c507b

SHA1
293667b7ef95c9fa29df0e822c074804fdd9c56a

SHA256
c93c2117ff7edbd247979093f826759455c9cd536087daa568a3b6ba570b0aba

SHA512
cd8178575393f6b9ff0889c198ea543cb4928e34174681fef7ac67f57912cbd2d398fca73861d9c36e9bb58010c2a8af789ca7872d96f6b7c9c10f498d8dc70a

Download Submit
C:\Windows\SysWOW64\240548359.jpg
Filesize
56KB

MD5
c6f4236d5f7929a26adec9ba633c507b

SHA1
293667b7ef95c9fa29df0e822c074804fdd9c56a

SHA256
c93c2117ff7edbd247979093f826759455c9cd536087daa568a3b6ba570b0aba

SHA512
cd8178575393f6b9ff0889c198ea543cb4928e34174681fef7ac67f57912cbd2d398fca73861d9c36e9bb58010c2a8af789ca7872d96f6b7c9c10f498d8dc70a

Download Submit
C:\Windows\SysWOW64\windowsÏµÍ³Ö÷¶¯·ÀÓù.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\windowsÏµÍ³Ö÷¶¯·ÀÓù.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\c:\windows\SysWOW64\240548359.jpg
Filesize
56KB

MD5
c6f4236d5f7929a26adec9ba633c507b

SHA1
293667b7ef95c9fa29df0e822c074804fdd9c56a

SHA256
c93c2117ff7edbd247979093f826759455c9cd536087daa568a3b6ba570b0aba

SHA512
cd8178575393f6b9ff0889c198ea543cb4928e34174681fef7ac67f57912cbd2d398fca73861d9c36e9bb58010c2a8af789ca7872d96f6b7c9c10f498d8dc70a

Download Submit
memory/1232-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads