gh0strat | 41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc

Analysis

max time kernel
191s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe
Size

576KB
MD5

84da30f0f735da2e20006c5a9bb97b68
SHA1

b9effa25a5e7ef86b25225ce30fe9d2bb8be7fb6
SHA256

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc
SHA512

28e45d3067f4c9c0d77bfc733a566457a6204af418db3f216c9cad03134d8b4a0176c9c158771ae154d0a3d2153b545c01c640e1e7bbab15fff1a0d9a338e4d2
SSDEEP

6144:/yHe1w/ziNliJMPLdXopU7JtGVa1TnbM/fxz/8iAg:a+1w/CIGPLs+m44yg

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1420-132-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe"	41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

pid process

1420 41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

pid	process
1420	41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe

C:\Users\Admin\AppData\Local\Temp\41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe
"C:\Users\Admin\AppData\Local\Temp\41f2e7132cc3375eaf706d922d07f652ed1f843353473da610d15a785bf169fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-132-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download