gh0strat | 97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
Size

571KB
MD5

11c24b76d0a15256a8fb81f838c4a060
SHA1

edc4a4c15f7aec56ea418a6a0d3b447fc7a63977
SHA256

97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a
SHA512

d8d164c21b824742ca11ad17884a11d31a668b415a16719e2c16caa3849cca9cd0c66a7dca268c6ef7466c9f6a9cd00a7d888845713c6735210fda1d4852e1c3
SSDEEP

6144:LGzRxSVtp0l6whGfsKR+zkBpTaa5tJH3qJH3Y:6t0VPFfsKAkrbPlalI

Score

10^/10

gh0strat persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/940-59-0x0000000000400000-0x00000000004F0000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
940	(null)0.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1592-55-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral1/files/0x000a0000000122be-57.dat	upx
behavioral1/memory/940-59-0x0000000000400000-0x00000000004F0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe"	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\(null)0.exe	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
File created	\??\c:\Windows\BJ.exe	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
File opened for modification	\??\c:\Windows\BJ.exe	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 940	1592	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe	27
PID 1592 wrote to memory of 940	1592	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe	27
PID 1592 wrote to memory of 940	1592	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe	27
PID 1592 wrote to memory of 940	1592	97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe	27

C:\Users\Admin\AppData\Local\Temp\97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe
"C:\Users\Admin\AppData\Local\Temp\97b41caf01bca53907503c11f1e4dad38ce19c1f2aa9fc499af878577d177c6a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1592
- \??\c:\Windows\(null)0.exe
  c:\Windows\(null)0.exe
  2⤵
  - Executes dropped EXE
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\(null)0.exe

Filesize
571KB

MD5
95ce6724cd8fc022f7714c63503e55ff

SHA1
29fa92d1ae08b825f0bd959455346d36199a015f

SHA256
16e4e5bfa9c25f5c02fcc840c76a58d05bd4becec57887efdb5f4b87fa5990e8

SHA512
fcd6fae7d6a7fe6146f7a5f84a849b31bdca961c12cf57a6089739ab5642253c5b3a9001579fd7e89f5feb9e7f78cb100a3cd8eead2c164e73e9f13c06f24445

Download Submit
memory/940-59-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1592-55-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1592-60-0x00000000023F0000-0x00000000024E0000-memory.dmp

Filesize
960KB

Download
memory/1592-61-0x00000000023F0000-0x00000000024E0000-memory.dmp

Filesize
960KB

Download