gh0strat | 48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a

Analysis

max time kernel
48s
max time network
81s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe
Size

256KB
MD5

7c8ce74dfbba216b4ac618ab9fa9c690
SHA1

f91637e7ac16d1a7f74d4d6e1ae1cf30df059762
SHA256

48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a
SHA512

ed4defa728180de300d8ae3d144442e19bf19c852cd18ba0a390abab2999b2d80a26b3c85844f762e4fca1527e0b8f0ba4837020c2c1ec421e70afd6fd7a5502
SSDEEP

6144:L2gesJ12TMUQ8pfFquGUA8uIe7nl4Y7DOg9omdKRm1:hKTMUNfFquDA8LI4Eig9h1

Score

10^/10

gh0strat persistence rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1360-60-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/1360-63-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1360-54-0x0000000000400000-0x000000000047F000-memory.dmp	vmprotect
behavioral1/memory/1360-57-0x0000000000400000-0x000000000047F000-memory.dmp	vmprotect
behavioral1/memory/1360-64-0x0000000000400000-0x000000000047F000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXBDE8F6AC = "C:\\Windows\\XXXXXXBDE8F6AC\\svchsot.exe"	48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\XXXXXXBDE8F6AC\svchsot.exe	48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe
File opened for modification	C:\Windows\XXXXXXBDE8F6AC\svchsot.exe	48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1360	48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe
1360	48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe
1360	48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe

C:\Users\Admin\AppData\Local\Temp\48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe
"C:\Users\Admin\AppData\Local\Temp\48bfde766f1cc95368dc541eb2a677f2cc21726e7e810316ef580ddfba0c477a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1360-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1360-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1360-58-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1360-60-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1360-63-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1360-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download