gh0strat | a2e766e365f9b33e3bf57a15a450d37df6b1a5fbd318c7bf56df21af3beb6cd1

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e766e365f9b33e3bf57a15a450d37df6b1a5fbd318c7bf56df21af3beb6cd1.exe
Size

124KB
MD5

56462d54ef32e37458b87872e26c0d00
SHA1

783af98a1b21692d9c0154137135c0a1cff665fe
SHA256

a2e766e365f9b33e3bf57a15a450d37df6b1a5fbd318c7bf56df21af3beb6cd1
SHA512

df8ba7b4cdc47527e6b62a9cd17aeeefb406dd5cb3169794df6237e8ed0b0239ca334fc0e342472912980048a957341173532663e6c9a2323e33440e18db64d1
SSDEEP

3072:ybbRNpUqa/DZx+t5+9s6tAuMZzKK4/VAHUJ4yExRv52:yHRNmq0DZIt5ta294NXJ4k

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1340-55-0x0000000000400000-0x0000000000421000-memory.dmp	family_gh0strat
behavioral1/files/0x000b000000012326-56.dat	family_gh0strat
behavioral1/files/0x000b000000012326-57.dat	family_gh0strat
behavioral1/memory/992-59-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/992-60-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\3600Svcs\paRaMeteRs\ServiceDll = "C:\\Documents and Settings\\Local User\\Onions.dll"	a2e766e365f9b33e3bf57a15a450d37df6b1a5fbd318c7bf56df21af3beb6cd1.exe

Deletes itself 1 IoCs

pid	Process
992	svChOST.eXE

Loads dropped DLL 1 IoCs

pid	Process
992	svChOST.eXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1340	a2e766e365f9b33e3bf57a15a450d37df6b1a5fbd318c7bf56df21af3beb6cd1.exe

C:\Users\Admin\AppData\Local\Temp\a2e766e365f9b33e3bf57a15a450d37df6b1a5fbd318c7bf56df21af3beb6cd1.exe
"C:\Users\Admin\AppData\Local\Temp\a2e766e365f9b33e3bf57a15a450d37df6b1a5fbd318c7bf56df21af3beb6cd1.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\SysWOW64\svChOST.eXE
C:\Windows\SysWOW64\svChOST.eXE -k NeTSvCS
1⤵
- Deletes itself
- Loads dropped DLL
PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\local user\onions.dll

Filesize
107KB

MD5
cdbd2a44aaa913c3971575b3890725d3

SHA1
a305d06b751388fdbf7ba572a6dcb4c37652ac1d

SHA256
57e89bc84f70bc738b14cd810166bd8d0d2abef8e70eba16a6ede0906d6a67f1

SHA512
5602fe103ff602a8f5011ff1948e5e65a10a92d62efa6aff2541d1cfaa733654ae799b7529a1cf5b8fdd637dbb995ec09d79bda52747d86eb6addf73fa2172ad

Download Submit
\Users\Local User\Onions.dll

Filesize
107KB

MD5
cdbd2a44aaa913c3971575b3890725d3

SHA1
a305d06b751388fdbf7ba572a6dcb4c37652ac1d

SHA256
57e89bc84f70bc738b14cd810166bd8d0d2abef8e70eba16a6ede0906d6a67f1

SHA512
5602fe103ff602a8f5011ff1948e5e65a10a92d62efa6aff2541d1cfaa733654ae799b7529a1cf5b8fdd637dbb995ec09d79bda52747d86eb6addf73fa2172ad

Download Submit
memory/992-59-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/992-60-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1340-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1340-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download