gh0strat | 0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa

Analysis

max time kernel
163s
max time network
85s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe
Size

640KB
MD5

07c280826baec9994f82d430e8110f00
SHA1

cf0421ed23e0bf2ac270907539bce77575e93ebf
SHA256

0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa
SHA512

27b572b22e979cad72c308bbc98b677df71734c7c5b7f5bcee74a5a2dd86fde875f240a805cdf0d0f9d48b36aadeeaba68e3b3b87520625ade7fc027d94c5917
SSDEEP

12288:uM5H1C52oxL3aKHx5r+TuxPhNWwgsAO3otw:uM5H1C0w3aKHx5r+TuxPhpgpOmw

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\svchest000.exe	family_gh0strat
behavioral1/memory/1744-58-0x0000000000400000-0x00000000004ED000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

svchest000.exe

pid process

1744 svchest000.exe

pid	process
1744	svchest000.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "c:\\Windows\\notepab.exe"	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe

Drops file in Windows directory 5 IoCs

Processes:

0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe

description	ioc	process
File created	\??\c:\Windows\BJ.exe	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe
File opened for modification	\??\c:\Windows\BJ.exe	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe
File created	\??\c:\Windows\svchest000.exe	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe
File opened for modification	\??\c:\Windows\svchest000.exe	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe
File created	\??\c:\Windows\notepab.exe	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe

description	pid	process	target process
PID 948 wrote to memory of 1744	948	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe	svchest000.exe
PID 948 wrote to memory of 1744	948	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe	svchest000.exe
PID 948 wrote to memory of 1744	948	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe	svchest000.exe
PID 948 wrote to memory of 1744	948	0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe	svchest000.exe

C:\Users\Admin\AppData\Local\Temp\0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe
"C:\Users\Admin\AppData\Local\Temp\0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:948

\??\c:\Windows\svchest000.exe
c:\Windows\svchest000.exe
2⤵
- Executes dropped EXE
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest000.exe

Filesize
640KB

MD5
07c280826baec9994f82d430e8110f00

SHA1
cf0421ed23e0bf2ac270907539bce77575e93ebf

SHA256
0d5b721359e027a163a54ea0df994862b2855cc9f2e111861fc2dc6f9f086caa

SHA512
27b572b22e979cad72c308bbc98b677df71734c7c5b7f5bcee74a5a2dd86fde875f240a805cdf0d0f9d48b36aadeeaba68e3b3b87520625ade7fc027d94c5917

Download Submit
memory/948-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/948-59-0x0000000002660000-0x000000000274D000-memory.dmp

Filesize
948KB

Download
memory/1744-55-0x0000000000000000-mapping.dmp

Download
memory/1744-58-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download