gh0strat | b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 19:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe
Size

3.4MB
MD5

93eddd7fef39b6cd5b3b77a10d48c094
SHA1

ac44b5f97671c2fc20f4796f509cbc71e1c902c6
SHA256

b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142
SHA512

de3a66174c3ce284c65d1b79edb06edae08999853abc204feab4f679e14a014d0dd2af07dd031d0acc54acfb9191e896844242ab261c85c2f7fcfa83ca62066a
SSDEEP

98304:0roXfzhKDmC+7pMkBp9o6oD0LWEtjG8ZvYUs:nXfzhKDmC+7++pCz0L1vvBs

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/760-70-0x0000000010000000-0x000000001007B000-memory.dmp	family_gh0strat
behavioral1/memory/760-74-0x0000000002030000-0x00000000020C6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
760	microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe

Loads dropped DLL 5 IoCs

pid	Process
1444	b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe
760	microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe
760	microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe
760	microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe
760	microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1444	b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 760	1444	b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe	27
PID 1444 wrote to memory of 760	1444	b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe	27
PID 1444 wrote to memory of 760	1444	b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe	27
PID 1444 wrote to memory of 760	1444	b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe	27

C:\Users\Admin\AppData\Local\Temp\b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe
"C:\Users\Admin\AppData\Local\Temp\b1abb4bdb431ca7b588039933166cbebd387952ddf6e35493d6a3b355188b142.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Public\Assets\microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe
  "C:\Users\Public\Assets\microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Assets\AudioEngine.dll

Filesize
72KB

MD5
acb860f6e3a5c83931e7ba395f65552a

SHA1
48260d99363d759133d8bfd88687fbb504a70378

SHA256
d1bbeb6f761ee1f1387ae20866102cd095790b58968cd656d3c7260b957e282b

SHA512
5fc9e54d47c07d1f3612a2acd7095fe0469394deb8f08b54830db2219103a9379b206caa26072880dadbc2e549cd8b195380c457c09f803cec6a04a59a741372

Download Submit
C:\Users\Public\Assets\MSVCP100.dll

Filesize
410KB

MD5
4fb450c8ca339e79ecbaead391418126

SHA1
892a8bdd074eca0ca02a485bc544f24a80c1338c

SHA256
0d819f6887630728f6a82c26d08f6191a093b0ce20115b9080003aa4a7093b05

SHA512
c6fc8bc8df2578470210f818d9dc0afb14e8096d8de7af09b08c3b2c71888c6f93195f122bf6cffa677d31d1d0e3baa64855af79fd326517d2d69a02b171d51d

Download Submit
C:\Users\Public\Assets\MSVCR100.dll

Filesize
755KB

MD5
a16774e8834fc402639203b75baefe1a

SHA1
f8ca806d3004678d8e859036826f1b9ad2966c67

SHA256
941117cd1e6245f6e3ec732e2db91a4d28fea42b56f8970b0fa7c007cf41df10

SHA512
fa6f6abd0615bf047643ac81766023f5a67f06f5ddb4f6fd5c029108b513ccd819af7ea6acd7dde6cc030c8ab6f3fb3c2d70274f84acb68ecc539d4c5713fe76

Download Submit
C:\Users\Public\Assets\common_tools.dll

Filesize
277KB

MD5
65b467f06876560a98aad7e9fa3e9404

SHA1
43fe5a983c0b37961ce076203a76b3db1aa4ebea

SHA256
fecd650431c8b2c9a65e58e21b023fca0e8de668cdda762c8500730a0d6cbe75

SHA512
d2e41bb5e8e4579dace396561b0f82cb4aaca54cc31da5db25ba85968f75bdb274279ed3abf16fa2ba98887a4e5cb6d7d4b4ffa0e71c0ece91c1d452f25863c3

Download Submit
C:\Users\Public\Assets\donottrace.txt

Filesize
576KB

MD5
6c9a13fbf3b56760e5e04d58f6cd5f17

SHA1
cd4275821defd63c3a2f7b6c1f9c08648769a266

SHA256
d406ad436b18641205d0c92ed54afde085459f8c57b94e0265ab5f20752e1cae

SHA512
ef8b797510d96ed983ddd8f1337ca85e5dfcc1913fd9471116d65edf7cc9138c5cb2df3c1bdb956f7ddf5f4abe4309e1a2e4580d1e0f25e4a540f15644e4ebcd

Download Submit
C:\Users\Public\Assets\microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe

Filesize
121KB

MD5
940bb8ab8affaab9a7b7cecd4c8f7c7b

SHA1
344961750f0d6d59a373ea454d2cad806f6b65e6

SHA256
bf8b33b52a0c101ad667a98c071772ad0521305d8b9c47475bfb6c2a17e412c3

SHA512
b52ebdf571a7a691c1ef0fbbab88cfb61d538276ffc787e8221c1ef8d7b9e08963d5b227b39033490c507c101b8749d115587d6a13198b6e8562946784eac4a5

Download Submit
C:\Users\Public\Assets\task.dat

Filesize
136B

MD5
18b87fa1185615eb0efdcb088f01bc67

SHA1
7ebbae2fef9ee63557cd40f2d7795bb41cae048d

SHA256
972ab74ea35bf26f71bed515be517f4cb38d67d264669fa082f3d326bc0a95cc

SHA512
4e24d4e8d4330cfc244ce85ec2311a566427f413ab2efbae2f9ce157a6add4c5f871944571aa019501c923190653e1cf8a6a8981c147a11f7f177e93c82afc17

Download Submit
\Users\Public\Assets\AudioEngine.dll

Filesize
72KB

MD5
acb860f6e3a5c83931e7ba395f65552a

SHA1
48260d99363d759133d8bfd88687fbb504a70378

SHA256
d1bbeb6f761ee1f1387ae20866102cd095790b58968cd656d3c7260b957e282b

SHA512
5fc9e54d47c07d1f3612a2acd7095fe0469394deb8f08b54830db2219103a9379b206caa26072880dadbc2e549cd8b195380c457c09f803cec6a04a59a741372

Download Submit
\Users\Public\Assets\common_tools.dll

Filesize
277KB

MD5
65b467f06876560a98aad7e9fa3e9404

SHA1
43fe5a983c0b37961ce076203a76b3db1aa4ebea

SHA256
fecd650431c8b2c9a65e58e21b023fca0e8de668cdda762c8500730a0d6cbe75

SHA512
d2e41bb5e8e4579dace396561b0f82cb4aaca54cc31da5db25ba85968f75bdb274279ed3abf16fa2ba98887a4e5cb6d7d4b4ffa0e71c0ece91c1d452f25863c3

Download Submit
\Users\Public\Assets\microsoft.net.native.framework.1.7_1.7.27413.0_x64.exe

Filesize
121KB

MD5
940bb8ab8affaab9a7b7cecd4c8f7c7b

SHA1
344961750f0d6d59a373ea454d2cad806f6b65e6

SHA256
bf8b33b52a0c101ad667a98c071772ad0521305d8b9c47475bfb6c2a17e412c3

SHA512
b52ebdf571a7a691c1ef0fbbab88cfb61d538276ffc787e8221c1ef8d7b9e08963d5b227b39033490c507c101b8749d115587d6a13198b6e8562946784eac4a5

Download Submit
\Users\Public\Assets\msvcp100.dll

Filesize
410KB

MD5
4fb450c8ca339e79ecbaead391418126

SHA1
892a8bdd074eca0ca02a485bc544f24a80c1338c

SHA256
0d819f6887630728f6a82c26d08f6191a093b0ce20115b9080003aa4a7093b05

SHA512
c6fc8bc8df2578470210f818d9dc0afb14e8096d8de7af09b08c3b2c71888c6f93195f122bf6cffa677d31d1d0e3baa64855af79fd326517d2d69a02b171d51d

Download Submit
\Users\Public\Assets\msvcr100.dll

Filesize
755KB

MD5
a16774e8834fc402639203b75baefe1a

SHA1
f8ca806d3004678d8e859036826f1b9ad2966c67

SHA256
941117cd1e6245f6e3ec732e2db91a4d28fea42b56f8970b0fa7c007cf41df10

SHA512
fa6f6abd0615bf047643ac81766023f5a67f06f5ddb4f6fd5c029108b513ccd819af7ea6acd7dde6cc030c8ab6f3fb3c2d70274f84acb68ecc539d4c5713fe76

Download Submit
memory/760-68-0x0000000002030000-0x00000000020C6000-memory.dmp

Filesize
600KB

Download
memory/760-70-0x0000000010000000-0x000000001007B000-memory.dmp

Filesize
492KB

Download
memory/760-74-0x0000000002030000-0x00000000020C6000-memory.dmp

Filesize
600KB

Download
memory/1444-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download