gh0strat | de732ef1c910b332927000e9532309c71cd2652fe1f43a369ab26c89e7d30920

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de732ef1c910b332927000e9532309c71cd2652fe1f43a369ab26c89e7d30920.exe
Size

109KB
MD5

25c177d2439e084f8c5be14930b9fe17
SHA1

bb595a98cd7387d2d2d4844ea4fed33d0767ae55
SHA256

de732ef1c910b332927000e9532309c71cd2652fe1f43a369ab26c89e7d30920
SHA512

ce842aa126c626d3168870a79ec7e551ee7fdd77b6589ec4e1f84371e666febe397cfbd3f1dbe489c4cd7e55af50c1a28aef95bd2bd15d3cc621e8f7cb891839
SSDEEP

1536:DVH8gMsa6kRfJirY84erfImafc61JfcUcKDRA8/HUtpFXCAIM:DZ8gVa6wiraf91JcUcw/HUtpFXCAIM

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/3872-133-0x0000000000400000-0x000000000041D000-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000022dc3-132.dat	family_gh0strat
behavioral2/files/0x0008000000022dc3-134.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Three\Parameters\ServiceDll = "C:\\Program Files (x86)\\Common Files\\main.dll"	de732ef1c910b332927000e9532309c71cd2652fe1f43a369ab26c89e7d30920.exe

Loads dropped DLL 1 IoCs

pid	Process
3392	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\main.dll	de732ef1c910b332927000e9532309c71cd2652fe1f43a369ab26c89e7d30920.exe

C:\Users\Admin\AppData\Local\Temp\de732ef1c910b332927000e9532309c71cd2652fe1f43a369ab26c89e7d30920.exe
"C:\Users\Admin\AppData\Local\Temp\de732ef1c910b332927000e9532309c71cd2652fe1f43a369ab26c89e7d30920.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
PID:3872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\main.dll

Filesize
102KB

MD5
809fcfbc82f9f49c3a6fd577d9db6b3d

SHA1
9becade50b3a23a87852248546a32c3cf115d596

SHA256
aeaffc7a266d09d788318308e51df6031daa6a7ba05812c25ab51f6ec8803462

SHA512
2dc528bcf898830534e2fdf58bbd0387029aca4965dbb033c9aa6307252e40c54cfc96bff9ab84b466e5c6cf8cf911f8b61dc1afcbd11a845a332a02a7d4b1dc

Download Submit
\??\c:\program files (x86)\common files\main.dll

Filesize
102KB

MD5
809fcfbc82f9f49c3a6fd577d9db6b3d

SHA1
9becade50b3a23a87852248546a32c3cf115d596

SHA256
aeaffc7a266d09d788318308e51df6031daa6a7ba05812c25ab51f6ec8803462

SHA512
2dc528bcf898830534e2fdf58bbd0387029aca4965dbb033c9aa6307252e40c54cfc96bff9ab84b466e5c6cf8cf911f8b61dc1afcbd11a845a332a02a7d4b1dc

Download Submit
memory/3872-133-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download