gh0strat | 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f

General

Target

34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe
Size

152KB
MD5

5cf6ef1e3cdd65b37f31c9822ed3753e
SHA1

21eb377b21d9e3fb8c521c454a5367e971063fa2
SHA256

34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f
SHA512

c1facaf8ebab8b3b38a6c54189297c22ba9e9891b58362e7e9349dc36e6d64b7fc59a91c1a033ebe08e8a687ab2c66090173de1cecaf79a853357a598e0ee719
SSDEEP

3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUP:8FCqxB4Ng9GLjcoCmFJLXUP

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\mte566d55m.dll	family_gh0strat
C:\Windows\SysWOW64\mte566d55m.dll	family_gh0strat
\??\c:\windows\SysWOW64\mte566d55m.dll	family_gh0strat
C:\Windows\SysWOW64\mte566d55m.dll	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

11 2640 rundll32.exe
43 2640 rundll32.exe
50 2640 rundll32.exe
78 2640 rundll32.exe

flow	pid	process
11	2640	rundll32.exe
43	2640	rundll32.exe
50	2640	rundll32.exe
78	2640	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jkgsaia22kjznl\Parameters\ServiceDll = "C:\\Windows\\system32\\mte566d55m.dll"	34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exesvchost.exerundll32.exe

pid process

2836 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe
4768 svchost.exe
2640 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe

description ioc process

File created C:\Windows\SysWOW64\mte566d55m.dll 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\mte566d55m.dll	34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 4768 svchost.exe

description	pid	process
Token: SeDebugPrivilege	4768	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe

pid	process
2836	34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe
2836	34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exesvchost.exe

description	pid	process	target process
PID 2836 wrote to memory of 2252	2836	34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe	cmd.exe
PID 2836 wrote to memory of 2252	2836	34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe	cmd.exe
PID 2836 wrote to memory of 2252	2836	34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe	cmd.exe
PID 4768 wrote to memory of 2640	4768	svchost.exe	rundll32.exe
PID 4768 wrote to memory of 2640	4768	svchost.exe	rundll32.exe
PID 4768 wrote to memory of 2640	4768	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe
"C:\Users\Admin\AppData\Local\Temp\34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe"
2⤵
PID:2252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "jkgsaia22kjznl"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\mte566d55m.dll, slexp
2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mte566d55m.dll
Filesize
134KB

MD5
ab420e65df285fe0ae0579dd93223dc6

SHA1
8709614eca06c722dc51f90d9bf993bf0c532b2c

SHA256
42d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103

SHA512
3b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666

Download Submit
C:\Windows\SysWOW64\mte566d55m.dll
Filesize
134KB

MD5
ab420e65df285fe0ae0579dd93223dc6

SHA1
8709614eca06c722dc51f90d9bf993bf0c532b2c

SHA256
42d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103

SHA512
3b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666

Download Submit
C:\Windows\SysWOW64\mte566d55m.dll
Filesize
134KB

MD5
ab420e65df285fe0ae0579dd93223dc6

SHA1
8709614eca06c722dc51f90d9bf993bf0c532b2c

SHA256
42d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103

SHA512
3b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666

Download Submit
\??\c:\windows\SysWOW64\mte566d55m.dll
Filesize
134KB

MD5
ab420e65df285fe0ae0579dd93223dc6

SHA1
8709614eca06c722dc51f90d9bf993bf0c532b2c

SHA256
42d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103

SHA512
3b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666

Download Submit
memory/2252-135-0x0000000000000000-mapping.dmp

Download
memory/2640-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads