gh0strat | 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1

Analysis

max time kernel
130s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
Size

111KB
MD5

32e81745a73a137f0f62dc6b72f14cc0
SHA1

6282016eb77734eef1e93c1cac40559969919fbb
SHA256

646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1
SHA512

2e62ec8afdfbf457d2ace589f33776e7a835ae3f8cde8fbf33b081015c83a7ac954ad001e9a066a7b241f7875cb5bd51e7363b147372f06b45f4277288b5f397
SSDEEP

1536:i8uMs+Jc7yvqPbsm8QfLpcILGoka7V2uJp1VcM/vfh7EP8Z8IeIgD31:+N+ibsmUul0uJXVb/Xh7EP88IeIgD

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/1408-132-0x0000000000400000-0x000000000041BDE0-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022f58-133.dat	family_gh0strat
behavioral2/memory/1408-134-0x0000000000400000-0x000000000041BDE0-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\bits.dll"	646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe

Loads dropped DLL 1 IoCs

pid	Process
1408	646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bits.dll	646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1408	646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
1408	646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
1408	646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
1408	646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe

C:\Users\Admin\AppData\Local\Temp\646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe
"C:\Users\Admin\AppData\Local\Temp\646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bits.dll

Filesize
103KB

MD5
706cfbbd62a3077393423ab04134728c

SHA1
133ec633fefbf49171f159ec2457543857aa7b4b

SHA256
7d77cfabcdddd9c54d94b87edd92550f4d924a0ed235addbea2c28782c6c61f2

SHA512
86500d6b209f7c38194e92d3e6d7f1fb858030b887bb2a39685ef0974c7bed370ab8c37dfe44d6d8a230ee810c3431e0094e87287642c654ea85250490e5fbc0

Download Submit
memory/1408-132-0x0000000000400000-0x000000000041BDE0-memory.dmp

Filesize
111KB

Download
memory/1408-134-0x0000000000400000-0x000000000041BDE0-memory.dmp

Filesize
111KB

Download
memory/3272-135-0x00000241DE5A0000-0x00000241DE5B0000-memory.dmp

Filesize
64KB

Download
memory/3272-136-0x00000241DEE60000-0x00000241DEE70000-memory.dmp

Filesize
64KB

Download
memory/3272-137-0x00000241E1420000-0x00000241E1424000-memory.dmp

Filesize
16KB

Download
memory/3272-138-0x00000241E16E0000-0x00000241E16E4000-memory.dmp

Filesize
16KB

Download
memory/3272-139-0x00000241E1450000-0x00000241E1454000-memory.dmp

Filesize
16KB

Download
memory/3272-140-0x00000241E1440000-0x00000241E1444000-memory.dmp

Filesize
16KB

Download