gh0strat | f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad.exe
Size

49KB
MD5

127ebfdbfb8273a02eab034501afe723
SHA1

8e9915e522abb736d78510d041b9957d1e7c672d
SHA256

f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad
SHA512

785c08be8b82abd905865395cf13842aaaa1f1a0a3228969058b4e00e6005cdd126705dfd2eec831142eaaeb4717b73d66e92d63f234da7e1d8a344a5fafa6f2
SSDEEP

768:BS2oDQTIN8sPN7BhZYSwFnDkHtx5zgtgoEbZj4wL+tueUuJGdJ5827GI4TFXE:42ocSPj+IyON1L+tueS7GIaFXE

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000005c50-54.dat	family_gh0strat
behavioral1/memory/1348-56-0x0000000000400000-0x0000000000435000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000013445-57.dat	family_gh0strat
behavioral1/files/0x000a000000013445-58.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad.exe

Deletes itself 1 IoCs

pid	Process
604	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad.exe
604	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

C:\Users\Admin\AppData\Local\Temp\f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad.exe
"C:\Users\Admin\AppData\Local\Temp\f88c3ae3c180a4cda806e9775db25a49d197de3c511dd986ade5b2421b3b77ad.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\install.tmp

Filesize
102B

MD5
4045836f81491a381fa534aabe8a1e98

SHA1
951e47397f6a142ba3585e61fffbec692e771b6c

SHA256
e0a13e95d0a72e48c7210d4ea6b3973c7804e470349345a5bc0aad84428531ea

SHA512
d12707ea07029a85071e65e3a4052ec7e32b22720f8f32776cb29af4d871b2208b6c84eb72714344095044ab97be9c073db65a75af5ee17025309e4fcde3bcc7

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll

Filesize
91KB

MD5
ba082d221a2aea344d6cd11bb4d70571

SHA1
20f3623625c6ca7398a439977beded163739d662

SHA256
06f7aabc826499e2b0a3f7399a27228186def8a275051b735f2d1d612c378e06

SHA512
02a6e9aa85c99329b40d63e6ebd961cdd7cb4791b4703bdcbfc0ed0b16217efc7a76c87b2904d1e39ff51c1f12e9ef1fee91408d145bb5535d242ffd0bcbf7c4

Download Submit
\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
91KB

MD5
ba082d221a2aea344d6cd11bb4d70571

SHA1
20f3623625c6ca7398a439977beded163739d662

SHA256
06f7aabc826499e2b0a3f7399a27228186def8a275051b735f2d1d612c378e06

SHA512
02a6e9aa85c99329b40d63e6ebd961cdd7cb4791b4703bdcbfc0ed0b16217efc7a76c87b2904d1e39ff51c1f12e9ef1fee91408d145bb5535d242ffd0bcbf7c4

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll

Filesize
91KB

MD5
ba082d221a2aea344d6cd11bb4d70571

SHA1
20f3623625c6ca7398a439977beded163739d662

SHA256
06f7aabc826499e2b0a3f7399a27228186def8a275051b735f2d1d612c378e06

SHA512
02a6e9aa85c99329b40d63e6ebd961cdd7cb4791b4703bdcbfc0ed0b16217efc7a76c87b2904d1e39ff51c1f12e9ef1fee91408d145bb5535d242ffd0bcbf7c4

Download Submit
memory/1348-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download