gh0strat | 8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe
Size

433KB
MD5

102ac11eecaeb86f2c5ec7659b405260
SHA1

9645b14cb0331ee8b365d3aa89267ee9fe8648d5
SHA256

8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0
SHA512

407b0b77ac0729f5de50c8481bdf654ad6dd796c66a9528b4fa46ee3a3a588bc8e52473a951e44ea312f372f5ca188bbe8832d54d97ae351c079b38ec8381911
SSDEEP

6144:7evzV8Yct6Ym5OjI6UOwqdC32bAAzMFqonJl3/L:7e7V8rzmb6URlizUqc

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/620-58-0x0000000000400000-0x00000000004F5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
620	svchest000.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "c:\\Windows\\notepab.exe"	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\Windows\BJ.exe	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe
File opened for modification	\??\c:\Windows\BJ.exe	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe
File created	\??\c:\Windows\svchest000.exe	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe
File opened for modification	\??\c:\Windows\svchest000.exe	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe
File created	\??\c:\Windows\notepab.exe	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 620	1448	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe	27
PID 1448 wrote to memory of 620	1448	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe	27
PID 1448 wrote to memory of 620	1448	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe	27
PID 1448 wrote to memory of 620	1448	8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe	27

C:\Users\Admin\AppData\Local\Temp\8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe
"C:\Users\Admin\AppData\Local\Temp\8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1448
- \??\c:\Windows\svchest000.exe
  c:\Windows\svchest000.exe
  2⤵
  - Executes dropped EXE
  PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest000.exe

Filesize
433KB

MD5
102ac11eecaeb86f2c5ec7659b405260

SHA1
9645b14cb0331ee8b365d3aa89267ee9fe8648d5

SHA256
8f01addadd37cfd6cf43c5c8f1d0571458aa46f07b94ae782fe65e9d26bbf9d0

SHA512
407b0b77ac0729f5de50c8481bdf654ad6dd796c66a9528b4fa46ee3a3a588bc8e52473a951e44ea312f372f5ca188bbe8832d54d97ae351c079b38ec8381911

Download Submit
memory/620-55-0x0000000000000000-mapping.dmp

Download
memory/620-58-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1448-59-0x00000000025B0000-0x00000000026A5000-memory.dmp

Filesize
980KB

Download
memory/1448-60-0x00000000025B0000-0x00000000026A5000-memory.dmp

Filesize
980KB

Download