gh0strat | 8f4ca6241d4fa15e0e5ed835eb860fd56b7f04c32554f1ca81825801c1f5f2ff

Analysis

max time kernel
39s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f4ca6241d4fa15e0e5ed835eb860fd56b7f04c32554f1ca81825801c1f5f2ff.exe
Size

105KB
MD5

bf74d9db0275d302005fc22bb84f4f34
SHA1

9b84e51699891fd2f365f19232cfd76d6b427329
SHA256

8f4ca6241d4fa15e0e5ed835eb860fd56b7f04c32554f1ca81825801c1f5f2ff
SHA512

523d327e8bb128e85c22c9d2114ca3964a71220c70faed9f9564936162cb199b8b7db2fa94eea9267d687b65058a8af174ada5f5bc922259a35c1842638d99ac
SSDEEP

3072:QaBNxs/6Yi0yNp9zJeR4KIhjeNJ4hfEw4hqV/93:fXxs/8DLapI1CifEdhq7

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-54-0x0000000000400000-0x000000000041C000-memory.dmp	family_gh0strat
behavioral1/memory/1748-55-0x0000000000400000-0x000000000041C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8f4ca6241d4fa15e0e5ed835eb860fd56b7f04c32554f1ca81825801c1f5f2ff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility32.dll"	8f4ca6241d4fa15e0e5ed835eb860fd56b7f04c32554f1ca81825801c1f5f2ff.exe

C:\Users\Admin\AppData\Local\Temp\8f4ca6241d4fa15e0e5ed835eb860fd56b7f04c32554f1ca81825801c1f5f2ff.exe
"C:\Users\Admin\AppData\Local\Temp\8f4ca6241d4fa15e0e5ed835eb860fd56b7f04c32554f1ca81825801c1f5f2ff.exe"
1⤵
- Sets DLL path for service in the registry
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\\System32\\svchost.exe -k netsvcs
1⤵
PID:1852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1748-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download