gh0strat | 15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c

General

Target

15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
Size

311KB
MD5

905c3211af0112154c98baa8bde3af2b
SHA1

5848b87f2f4ac6c154234584ed813377bbd5899b
SHA256

15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c
SHA512

fb1f38313c89e08a332dafcc6a73989abfc44807c2f5a64c11b1b7f0583ca4c4320855efa458790015caf0f9d898b06d6deff73dbd2c5689db06760e86634648
SSDEEP

6144:OWT1Ic+fciN3xjXoxrjxvcOMjuaMSiQ+EeEXMwQe8zLZ44Hpx14hxH:H1IZUEj0BOjqdLEeEVh8HZBp8h5

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1752-132-0x0000000000400000-0x0000000000425000-memory.dmp	family_gh0strat
\??\c:\program files\userdata.dll	family_gh0strat
C:\Program Files\UserData.dll	family_gh0strat
behavioral2/memory/1516-138-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral2/memory/1752-139-0x0000000000400000-0x0000000000425000-memory.dmp	family_gh0strat
behavioral2/memory/1516-141-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zxiEE0E.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\zxiEE0E.tmp	acprotect

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\I240579828K\Parameters\ServiceDll = "C:\\Program Files\\UserData.dll"	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

Loads dropped DLL 3 IoCs

Processes:

15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exesvchost.exe

pid	process
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1516	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

description ioc process

File created C:\Program Files\UserData.dll 15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

description	ioc	process
File created	C:\Program Files\UserData.dll	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exesvchost.exe

pid	process
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1752	15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

pid process

1752 15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

C:\Users\Admin\AppData\Local\Temp\15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
"C:\Users\Admin\AppData\Local\Temp\15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k svchost
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\UserData.dll
Filesize
123KB

MD5
b0e5f3c53d9bffa35d96529fb8d3fe17

SHA1
96373e27c2742cb15d7f52ad3ba03d3a24319e52

SHA256
245c5b2da68269e5c8f67c2b931ee1e0dade9c57df7652ffa618121ce3093a4c

SHA512
0dd18e6a666307ce637bf90b60167eb3761d26f9e72a58bb199f8ecf9b7500ced12f21a8a06ccb8658c332a9c0f544d06d999e62f08c20cef112383a68c72dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxiEE0E.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxiEE0E.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\??\c:\program files\userdata.dll
Filesize
123KB

MD5
b0e5f3c53d9bffa35d96529fb8d3fe17

SHA1
96373e27c2742cb15d7f52ad3ba03d3a24319e52

SHA256
245c5b2da68269e5c8f67c2b931ee1e0dade9c57df7652ffa618121ce3093a4c

SHA512
0dd18e6a666307ce637bf90b60167eb3761d26f9e72a58bb199f8ecf9b7500ced12f21a8a06ccb8658c332a9c0f544d06d999e62f08c20cef112383a68c72dc2

Download Submit
memory/1516-138-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1516-141-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1752-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1752-135-0x00000000021D0000-0x0000000002243000-memory.dmp

Filesize
460KB

Download
memory/1752-139-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1752-140-0x00000000021D0000-0x0000000002243000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads