gh0strat | d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb

Analysis

max time kernel
151s
max time network
61s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb.exe
Size

64KB
MD5

89bdb2056fcae054a269da7aca154faa
SHA1

16dce1596c755a80ab95ea216dc90ab2c7e048bf
SHA256

d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb
SHA512

4676a9e1c82d7535791e8d2f74f4e3fab1b0fea3e48509ff38c19174bd7427cc73f69cc7c15db22049e71e53ec42984b50828685897730c1790efe39611de41c
SSDEEP

1536:R5C0XQb625rDnqNht/9Qv1ZmrkYSO2rK/N3:fCCkHnw1O1WkjOqQ3

Score

10^/10

gh0strat persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1228-55-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/1228-56-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1228-55-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1228-56-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCSHOST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb.exe"	d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb.exe

C:\Users\Admin\AppData\Local\Temp\d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb.exe
"C:\Users\Admin\AppData\Local\Temp\d240bcbdf2cb0e6403e8e7174a44caa7eed30149501f0eafa54b50053bc36adb.exe"
1⤵
- Adds Run key to start application
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1228-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1228-56-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download