gh0strat | 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13

General

Target

96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe
Size

172KB
MD5

abd457f404c29c5a256f31efaeb3cb4d
SHA1

dc183ff7f1a7ae60dd2e1eb077514a067375b0e1
SHA256

96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13
SHA512

be893db0a2822a2eb92673730eb64ad7af8a83219bd1f6b5fc024eda7d6dab943470f9c1a76f5b64927f3b5088c7ef622dd67bc1c5f7e21e69408a5450a08e60
SSDEEP

3072:FZyAqSH/lSea50OcvB4oZ4O9BJ3+YcAAUNLsF8bYdDNMD4JBnhYN:Ty6lSJdSiI9ncAbLstDNPJdmN

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\mt6f8e0em.dll	family_gh0strat
\Windows\SysWOW64\mt6f8e0em.dll	family_gh0strat
\??\c:\windows\SysWOW64\mt6f8e0em.dll	family_gh0strat
\Windows\SysWOW64\mt6f8e0em.dll	family_gh0strat
\Windows\SysWOW64\mt6f8e0em.dll	family_gh0strat
\Windows\SysWOW64\mt6f8e0em.dll	family_gh0strat
\Windows\SysWOW64\mt6f8e0em.dll	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 364 rundll32.exe
7 364 rundll32.exe

flow	pid	process
3	364	rundll32.exe
7	364	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\s90e02v5432e42nfa7\Parameters\ServiceDll = "C:\\Windows\\system32\\mt6f8e0em.dll"	96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe"	rundll32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1384 cmd.exe

pid	process
1384	cmd.exe

Loads dropped DLL 6 IoCs

Processes:

96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exesvchost.exerundll32.exe

pid	process
784	96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe
820	svchost.exe
364	rundll32.exe
364	rundll32.exe
364	rundll32.exe
364	rundll32.exe

Drops file in System32 directory 1 IoCs

Processes:

96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe

description ioc process

File created C:\Windows\SysWOW64\mt6f8e0em.dll 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 820 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe

pid process

784 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe

description	ioc	process
File created	C:\Windows\SysWOW64\mt6f8e0em.dll	96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe

description	pid	process
Token: SeDebugPrivilege	820	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exesvchost.exe

description	pid	process	target process
PID 784 wrote to memory of 1384	784	96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe	cmd.exe
PID 784 wrote to memory of 1384	784	96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe	cmd.exe
PID 784 wrote to memory of 1384	784	96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe	cmd.exe
PID 784 wrote to memory of 1384	784	96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe	cmd.exe
PID 820 wrote to memory of 364	820	svchost.exe	rundll32.exe
PID 820 wrote to memory of 364	820	svchost.exe	rundll32.exe
PID 820 wrote to memory of 364	820	svchost.exe	rundll32.exe
PID 820 wrote to memory of 364	820	svchost.exe	rundll32.exe
PID 820 wrote to memory of 364	820	svchost.exe	rundll32.exe
PID 820 wrote to memory of 364	820	svchost.exe	rundll32.exe
PID 820 wrote to memory of 364	820	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe
"C:\Users\Admin\AppData\Local\Temp\96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe"
2⤵
- Deletes itself
PID:1384

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "s90e02v5432e42nfa7"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\mt6f8e0em.dll, slexp
2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\mt6f8e0em.dll
Filesize
142KB

MD5
1ac50700edbeca3ec5ec30792f83c682

SHA1
72e4470b1252c6c2ecd53d4949583032f60ec3bd

SHA256
0249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44

SHA512
0b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b

Download Submit
\Windows\SysWOW64\mt6f8e0em.dll
Filesize
142KB

MD5
1ac50700edbeca3ec5ec30792f83c682

SHA1
72e4470b1252c6c2ecd53d4949583032f60ec3bd

SHA256
0249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44

SHA512
0b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b

Download Submit
\Windows\SysWOW64\mt6f8e0em.dll
Filesize
142KB

MD5
1ac50700edbeca3ec5ec30792f83c682

SHA1
72e4470b1252c6c2ecd53d4949583032f60ec3bd

SHA256
0249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44

SHA512
0b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b

Download Submit
\Windows\SysWOW64\mt6f8e0em.dll
Filesize
142KB

MD5
1ac50700edbeca3ec5ec30792f83c682

SHA1
72e4470b1252c6c2ecd53d4949583032f60ec3bd

SHA256
0249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44

SHA512
0b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b

Download Submit
\Windows\SysWOW64\mt6f8e0em.dll
Filesize
142KB

MD5
1ac50700edbeca3ec5ec30792f83c682

SHA1
72e4470b1252c6c2ecd53d4949583032f60ec3bd

SHA256
0249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44

SHA512
0b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b

Download Submit
\Windows\SysWOW64\mt6f8e0em.dll
Filesize
142KB

MD5
1ac50700edbeca3ec5ec30792f83c682

SHA1
72e4470b1252c6c2ecd53d4949583032f60ec3bd

SHA256
0249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44

SHA512
0b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b

Download Submit
\Windows\SysWOW64\mt6f8e0em.dll
Filesize
142KB

MD5
1ac50700edbeca3ec5ec30792f83c682

SHA1
72e4470b1252c6c2ecd53d4949583032f60ec3bd

SHA256
0249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44

SHA512
0b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b

Download Submit
memory/364-58-0x0000000000000000-mapping.dmp

Download
memory/364-59-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/1384-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads