gh0strat | b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd

General

Target

b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd.exe
Size

108KB
MD5

e7dd01078aa7d5e76f841cdd9e8ed3c1
SHA1

bbe9c132104b183537f4e8dbdbfda3af40571024
SHA256

b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd
SHA512

00bdfa47c6f242b9f3e076d471548a06052b02a7732f1f163e34a6d758d1b3d6b802087194c412f10d43d276da80d6fe648d9e45a81df24fe92202f1e8e90e03
SSDEEP

3072:/ESUnnVCKBt2q0nyXUmeR6dWj/RaJJ1cOxrpW:/ESUnnVhBt2qKCUmQbjZoJ12

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral2/memory/2472-132-0x0000000000400000-0x000000000041A268-memory.dmp	family_gh0strat
behavioral2/memory/2472-134-0x0000000000400000-0x000000000041A268-memory.dmp	family_gh0strat
behavioral2/files/0x000a000000022e63-133.dat	family_gh0strat
behavioral2/files/0x000a000000022e63-135.dat	family_gh0strat
behavioral2/files/0x000a000000022e63-137.dat	family_gh0strat
behavioral2/memory/4840-138-0x0000000010000000-0x0000000010019000-memory.dmp	family_gh0strat
behavioral2/memory/2828-139-0x0000000010000000-0x0000000010019000-memory.dmp	family_gh0strat
behavioral2/memory/4840-140-0x0000000010000000-0x0000000010019000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	2828	rundll32.exe
37	2828	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters\ServiceDll = "C:\\Windows\\Web\\e567709kill.dll"	b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd.exe

Loads dropped DLL 2 IoCs

pid	Process
4840	svchost.exe
2828	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web	b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd.exe
File created	C:\Windows\Web\e567709kill.dll	b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	svchost.exe
Token: SeDebugPrivilege	2828	rundll32.exe
Token: SeDebugPrivilege	2828	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2828	4840	svchost.exe	84
PID 4840 wrote to memory of 2828	4840	svchost.exe	84
PID 4840 wrote to memory of 2828	4840	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd.exe
"C:\Users\Admin\AppData\Local\Temp\b6319f257a7254845a3b9d581487f1c21c4273e8916a8882c384b9f8fa8c15cd.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\web\e567709kill.dll wintest
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Web\e567709kill.dll

Filesize
90KB

MD5
e984c69ed7adc8d6ac5849e043d55ad4

SHA1
1d3cfffdd16c01cef21b016f6c7f0acc1ae471c9

SHA256
913b8acc259df751371146b09ca4b96a422df61ded6dba0d6c0e12875e17c50a

SHA512
278d059a439c85b55fc24d72c15d9c5920d14963f2a4e86e68f10b03bf07d6cf0baeb5eaf84a54a29ac2cd9cf99fe6b122c1e2bd9e6267570852d71c1dfc1f2e

Download Submit
C:\Windows\Web\e567709kill.dll

Filesize
90KB

MD5
e984c69ed7adc8d6ac5849e043d55ad4

SHA1
1d3cfffdd16c01cef21b016f6c7f0acc1ae471c9

SHA256
913b8acc259df751371146b09ca4b96a422df61ded6dba0d6c0e12875e17c50a

SHA512
278d059a439c85b55fc24d72c15d9c5920d14963f2a4e86e68f10b03bf07d6cf0baeb5eaf84a54a29ac2cd9cf99fe6b122c1e2bd9e6267570852d71c1dfc1f2e

Download Submit
\??\c:\windows\web\e567709kill.dll

Filesize
90KB

MD5
e984c69ed7adc8d6ac5849e043d55ad4

SHA1
1d3cfffdd16c01cef21b016f6c7f0acc1ae471c9

SHA256
913b8acc259df751371146b09ca4b96a422df61ded6dba0d6c0e12875e17c50a

SHA512
278d059a439c85b55fc24d72c15d9c5920d14963f2a4e86e68f10b03bf07d6cf0baeb5eaf84a54a29ac2cd9cf99fe6b122c1e2bd9e6267570852d71c1dfc1f2e

Download Submit
memory/2472-132-0x0000000000400000-0x000000000041A268-memory.dmp

Filesize
104KB

Download
memory/2472-134-0x0000000000400000-0x000000000041A268-memory.dmp

Filesize
104KB

Download
memory/2828-139-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4840-138-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4840-140-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing