gh0strat | b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e

General

Target

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
Size

87KB
MD5

13e2dc9c64ae4b0514bc4e6d14ed1637
SHA1

a638ab474323f38c1cf9b5d8a85cabf67fbbe774
SHA256

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e
SHA512

b743c63c0d9f9de9ec492e361497806a36cb5a7ec280dcdd0cd6f65d278e684202cf9224fe4f022cc7cca2a400a747c20898506dea8ccf402a65ddd6c88db0fd
SSDEEP

1536:NX4XLeFM1aR4Q9/yx/kxoL/BlHmyEzmSCvqitGEpIrQCiI/yC/SUTRKW:NIbR1B7xk2ZQjzmvqyR0QCqC/5TR3

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4028-136-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/4028-137-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/4028-140-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4E3C5774 = "C:\\Windows\\4E3C5774\\svchsot.exe"	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

Drops file in System32 directory 1 IoCs

Processes:

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Default b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Default	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

Drops file in Windows directory 2 IoCs

Processes:

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

description	ioc	process
File created	C:\Windows\4E3C5774\svchsot.exe	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
File opened for modification	C:\Windows\4E3C5774\svchsot.exe	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

pid	process
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

description	pid	process
Token: SeDebugPrivilege	4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
Token: SeDebugPrivilege	4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exenet.exe

description	pid	process	target process
PID 4028 wrote to memory of 4200	4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe	net.exe
PID 4028 wrote to memory of 4200	4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe	net.exe
PID 4028 wrote to memory of 4200	4028	b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe	net.exe
PID 4200 wrote to memory of 1632	4200	net.exe	net1.exe
PID 4200 wrote to memory of 1632	4200	net.exe	net1.exe
PID 4200 wrote to memory of 1632	4200	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe
"C:\Users\Admin\AppData\Local\Temp\b4ad644afd133856c1feb7ef3c49ab727491ba3ae8d9454739bb8cb1efd59d9e.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
2⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
3⤵
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-139-0x0000000000000000-mapping.dmp

Download
memory/4028-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4028-133-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/4028-134-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4028-136-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4028-137-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4028-140-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/4028-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4028-142-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/4200-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads