gh0strat | 4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546

General

Target

4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
Size

176KB
MD5

7c714e971bd8afd88af899253fd77f3d
SHA1

ca348c8d2215e807fec62c549d677b3e6292f2ce
SHA256

4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546
SHA512

31effab420dabca0f3146f97b076804fbe6778126e4a7b3fc82d04f6ee0ac9144623932cc37a4a2de96440dba88b96637a5578189504a1785f24f250f89171ec
SSDEEP

3072:0cYcYKEzcW526y6hs6PhwtqrorsVlkTEIcy1O4F3JhMWIknqX5d+vIjc8UW:0cBYKEz557e2VroYoTU4JOWnS5d+v0cu

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
\??\c:\windows\SysWOW64\winnie.cmd	family_gh0strat
\Windows\SysWOW64\winnie.cmd	family_gh0strat
\Windows\SysWOW64\winnie.cmd	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 816 rundll32.exe

flow	pid	process
2	816	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Rspdates Apxplicatioan\Parameters\ServiceDll	4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe

Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

816 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exerundll32.exe

pid process

592 svchost.exe
816 rundll32.exe

pid	process
816	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe

description	ioc	process
File opened for modification	C:\Windows\hfsetemp.ini	4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
File created	C:\Windows\Svchost.txt	4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
File created	C:\Windows\Svchost.reg	4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

svchost.exe

pid	process
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe
592	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exesvchost.exe

description	pid	process
Token: SeBackupPrivilege	992	4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
Token: SeRestorePrivilege	992	4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
Token: SeDebugPrivilege	592	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 592 wrote to memory of 816	592	svchost.exe	rundll32.exe
PID 592 wrote to memory of 816	592	svchost.exe	rundll32.exe
PID 592 wrote to memory of 816	592	svchost.exe	rundll32.exe
PID 592 wrote to memory of 816	592	svchost.exe	rundll32.exe
PID 592 wrote to memory of 816	592	svchost.exe	rundll32.exe
PID 592 wrote to memory of 816	592	svchost.exe	rundll32.exe
PID 592 wrote to memory of 816	592	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
"C:\Users\Admin\AppData\Local\Temp\4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "c:\windows\system32\winnie.cmd",EASTNOD Rspdates Apxplicatioan
2⤵
- Blocklisted process makes network request
- Deletes itself
- Loads dropped DLL
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\winnie.cmd
Filesize
1.1MB

MD5
53b735bb0b6473676d1529916a606472

SHA1
26b0804de2e3dbffdf5bd840e78d2e6bc8682b14

SHA256
ec99bec45e94481200651b4d2b3e53d35ccc5f7c90c2e32eef45b87c52d04ebb

SHA512
192f9fb137e72d32085776de32f54f021978513c33e8eba609ff606cdaa56f03d75c1c5b4f166fb2a7046663d4b8f889481ee22cc1c271cb3ba690a1768a78d2

Download Submit
\Windows\SysWOW64\winnie.cmd
Filesize
1.1MB

MD5
53b735bb0b6473676d1529916a606472

SHA1
26b0804de2e3dbffdf5bd840e78d2e6bc8682b14

SHA256
ec99bec45e94481200651b4d2b3e53d35ccc5f7c90c2e32eef45b87c52d04ebb

SHA512
192f9fb137e72d32085776de32f54f021978513c33e8eba609ff606cdaa56f03d75c1c5b4f166fb2a7046663d4b8f889481ee22cc1c271cb3ba690a1768a78d2

Download Submit
\Windows\SysWOW64\winnie.cmd
Filesize
1.1MB

MD5
53b735bb0b6473676d1529916a606472

SHA1
26b0804de2e3dbffdf5bd840e78d2e6bc8682b14

SHA256
ec99bec45e94481200651b4d2b3e53d35ccc5f7c90c2e32eef45b87c52d04ebb

SHA512
192f9fb137e72d32085776de32f54f021978513c33e8eba609ff606cdaa56f03d75c1c5b4f166fb2a7046663d4b8f889481ee22cc1c271cb3ba690a1768a78d2

Download Submit
memory/592-56-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/816-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads