gh0strat | 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee

General

Target

19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
Size

152KB
MD5

18d79e48f4a53fd03da55cab229c0960
SHA1

5369878ae807b98073ffdb7a4eaea05d2a824198
SHA256

19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee
SHA512

ef226bd3e81cdd028d12e155fb51045c2cd435ba1c05ea8dab880a7f55dc66f0da571a37da5795bd1830186469a205f9bdae570630b830b663a0c37b8f4effdc
SSDEEP

3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUa:8FCqxB4Ng9GLjcoCmFJLXUa

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\mte56f67am.dll	family_gh0strat
\??\c:\windows\SysWOW64\mte56f67am.dll	family_gh0strat
C:\Windows\SysWOW64\mte56f67am.dll	family_gh0strat
C:\Windows\SysWOW64\mte56f67am.dll	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

6 4544 rundll32.exe
61 4544 rundll32.exe
70 4544 rundll32.exe
87 4544 rundll32.exe

flow	pid	process
6	4544	rundll32.exe
61	4544	rundll32.exe
70	4544	rundll32.exe
87	4544	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gajho29zghkbnak\Parameters\ServiceDll = "C:\\Windows\\system32\\mte56f67am.dll"	19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exesvchost.exerundll32.exe

pid process

1544 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
2840 svchost.exe
4544 rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\mte56f67am.dll	19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8D70DC8F-D875-47AF-BDFE-F3314E620E25}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F69E676D-8C25-49D6-A63B-542B42688EF3}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2840 svchost.exe

description	pid	process
Token: SeDebugPrivilege	2840	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe

pid	process
1544	19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
1544	19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exesvchost.exe

description	pid	process	target process
PID 1544 wrote to memory of 4832	1544	19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe	cmd.exe
PID 1544 wrote to memory of 4832	1544	19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe	cmd.exe
PID 1544 wrote to memory of 4832	1544	19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe	cmd.exe
PID 2840 wrote to memory of 4544	2840	svchost.exe	rundll32.exe
PID 2840 wrote to memory of 4544	2840	svchost.exe	rundll32.exe
PID 2840 wrote to memory of 4544	2840	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
"C:\Users\Admin\AppData\Local\Temp\19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe"
2⤵
PID:4832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "gajho29zghkbnak"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\mte56f67am.dll, slexp
2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mte56f67am.dll
Filesize
134KB

MD5
0e07a1c32d423ce761f6cc9aa7737195

SHA1
40bfe4c0df22872ca03b38ec91403dbcfaede60a

SHA256
deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35

SHA512
e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b

Download Submit
C:\Windows\SysWOW64\mte56f67am.dll
Filesize
134KB

MD5
0e07a1c32d423ce761f6cc9aa7737195

SHA1
40bfe4c0df22872ca03b38ec91403dbcfaede60a

SHA256
deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35

SHA512
e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b

Download Submit
C:\Windows\SysWOW64\mte56f67am.dll
Filesize
134KB

MD5
0e07a1c32d423ce761f6cc9aa7737195

SHA1
40bfe4c0df22872ca03b38ec91403dbcfaede60a

SHA256
deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35

SHA512
e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b

Download Submit
\??\c:\windows\SysWOW64\mte56f67am.dll
Filesize
134KB

MD5
0e07a1c32d423ce761f6cc9aa7737195

SHA1
40bfe4c0df22872ca03b38ec91403dbcfaede60a

SHA256
deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35

SHA512
e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b

Download Submit
memory/4544-136-0x0000000000000000-mapping.dmp

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads