gh0strat | f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013

General

Target

f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe
Size

73KB
MD5

22c41b7f6097a2ebd7d98b51ed8eb476
SHA1

696651a10bb922e4ff3cda08879a9789e79f2fb1
SHA256

f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013
SHA512

05ceca6abd4928f0dfdb189dcc33df171afb248bfa02be4299862608ea9b279c38c70bdec68a2c5ea593c3a66c4bb443e7198a7313ce1cfe8bfcefde289ecadb
SSDEEP

1536:pZm8hEnrtUqKpriZVLnocQ67frP8Q18sQn7jt7D:28hEnRUZrMLnoT6LrP828sQn7jt7D

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-54.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-61.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-60.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-59.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-62.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1404	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.Net CLR\Parameters\ServiceDll = "C:\\Windows\\system32\\AirCmd.dll"	f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe

Deletes itself 1 IoCs

pid	Process
1404	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
1436	svchost.exe
1404	rundll32.exe
1404	rundll32.exe
1404	rundll32.exe
1404	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AirCmd.dll	f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1404	1436	svchost.exe	29
PID 1436 wrote to memory of 1404	1436	svchost.exe	29
PID 1436 wrote to memory of 1404	1436	svchost.exe	29
PID 1436 wrote to memory of 1404	1436	svchost.exe	29
PID 1436 wrote to memory of 1404	1436	svchost.exe	29
PID 1436 wrote to memory of 1404	1436	svchost.exe	29
PID 1436 wrote to memory of 1404	1436	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe
"C:\Users\Admin\AppData\Local\Temp\f839434adf175d2a555e2adf1c46c5d34a444e35d78b9ec2008e7d82e4976013.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\aircmd.dll, kongqiwin7 .Net CLR
  2⤵
  - Blocklisted process makes network request
  - Deletes itself
  - Loads dropped DLL
  PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\aircmd.dll

Filesize
65KB

MD5
2609e8dae402d982e7a6f0664416e48b

SHA1
49c4315ab9fdcea15338a51e0b3f91b13f6a3cc8

SHA256
f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb

SHA512
1d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422

Download Submit
\Windows\SysWOW64\AirCmd.dll

Filesize
65KB

MD5
2609e8dae402d982e7a6f0664416e48b

SHA1
49c4315ab9fdcea15338a51e0b3f91b13f6a3cc8

SHA256
f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb

SHA512
1d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422

Download Submit
\Windows\SysWOW64\AirCmd.dll

Filesize
65KB

MD5
2609e8dae402d982e7a6f0664416e48b

SHA1
49c4315ab9fdcea15338a51e0b3f91b13f6a3cc8

SHA256
f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb

SHA512
1d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422

Download Submit
\Windows\SysWOW64\AirCmd.dll

Filesize
65KB

MD5
2609e8dae402d982e7a6f0664416e48b

SHA1
49c4315ab9fdcea15338a51e0b3f91b13f6a3cc8

SHA256
f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb

SHA512
1d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422

Download Submit
\Windows\SysWOW64\AirCmd.dll

Filesize
65KB

MD5
2609e8dae402d982e7a6f0664416e48b

SHA1
49c4315ab9fdcea15338a51e0b3f91b13f6a3cc8

SHA256
f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb

SHA512
1d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422

Download Submit
\Windows\SysWOW64\AirCmd.dll

Filesize
65KB

MD5
2609e8dae402d982e7a6f0664416e48b

SHA1
49c4315ab9fdcea15338a51e0b3f91b13f6a3cc8

SHA256
f226782d43c11cd708d9132e2bba9aff51889d719f771f71dc028cb1193dadbb

SHA512
1d45f92b26fe89ad8288dc60e018c0551c2d3ce4f225ddd8ccb6064e5c12ca0674c64382daa3b4aa8af84147dd47acb6e0fe358ff578c4a80cc8adeb9a306422

Download Submit
memory/1436-56-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing