gh0strat | ac2f992fc62e83cd8806dc9763a7475239bf508d278855da84b7cdc4ba61cff3

Analysis

max time kernel
119s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac2f992fc62e83cd8806dc9763a7475239bf508d278855da84b7cdc4ba61cff3.exe
Size

124KB
MD5

646103b6bf967d80a3aff79d6ba8ef8e
SHA1

0d6b7f5f4594d4e953bc28cbbc4ea15a308b0562
SHA256

ac2f992fc62e83cd8806dc9763a7475239bf508d278855da84b7cdc4ba61cff3
SHA512

27de208baef7bac916eb6d11cdcef8b9c1124b764b650bf99ae52389fbe534cdf423cb4e886a1281b28f8f222443681c6f63927199ed2246a1d93340e39dd247
SSDEEP

1536:fVH8Zf/NyESRVwFQ4l6iTA/7IxCRADcNrUf8RsFqQSE+:fZ8vyFwFD6HDIgRAD+rG8RsaE

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/920-133-0x0000000000400000-0x0000000000421000-memory.dmp	family_gh0strat
behavioral2/files/0x0005000000022e04-132.dat	family_gh0strat
behavioral2/files/0x0005000000022e04-134.dat	family_gh0strat
behavioral2/files/0x0005000000022e04-136.dat	family_gh0strat
behavioral2/files/0x0005000000022e04-135.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft MR\Parameters\ServiceDll = "C:\\Windows\\system32\\Service.dll"	ac2f992fc62e83cd8806dc9763a7475239bf508d278855da84b7cdc4ba61cff3.exe

Loads dropped DLL 3 IoCs

pid	Process
372	svchost.exe
372	svchost.exe
372	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Service.dll	ac2f992fc62e83cd8806dc9763a7475239bf508d278855da84b7cdc4ba61cff3.exe

C:\Users\Admin\AppData\Local\Temp\ac2f992fc62e83cd8806dc9763a7475239bf508d278855da84b7cdc4ba61cff3.exe
"C:\Users\Admin\AppData\Local\Temp\ac2f992fc62e83cd8806dc9763a7475239bf508d278855da84b7cdc4ba61cff3.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:920

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Service.dll

Filesize
117KB

MD5
dbcf412932820c77bcef07e29e0284df

SHA1
d6b138c038b86ae3d1363918cc1abd380a5d0ecb

SHA256
e9691b78f7a442acb607951af2cf2a5a6371452366f54b0ddeac6b588a7dff54

SHA512
d6cdfab4c5cd364b9faa5f9e5e4c5cda8fb48af8293dcbcd13908763a2fb5f777d1e59b2e0b1e1c20f23c487be917d9c0a491ab00f002de698587b62a4e9d876

Download Submit
C:\Windows\SysWOW64\Service.dll

Filesize
117KB

MD5
dbcf412932820c77bcef07e29e0284df

SHA1
d6b138c038b86ae3d1363918cc1abd380a5d0ecb

SHA256
e9691b78f7a442acb607951af2cf2a5a6371452366f54b0ddeac6b588a7dff54

SHA512
d6cdfab4c5cd364b9faa5f9e5e4c5cda8fb48af8293dcbcd13908763a2fb5f777d1e59b2e0b1e1c20f23c487be917d9c0a491ab00f002de698587b62a4e9d876

Download Submit
C:\Windows\SysWOW64\Service.dll

Filesize
117KB

MD5
dbcf412932820c77bcef07e29e0284df

SHA1
d6b138c038b86ae3d1363918cc1abd380a5d0ecb

SHA256
e9691b78f7a442acb607951af2cf2a5a6371452366f54b0ddeac6b588a7dff54

SHA512
d6cdfab4c5cd364b9faa5f9e5e4c5cda8fb48af8293dcbcd13908763a2fb5f777d1e59b2e0b1e1c20f23c487be917d9c0a491ab00f002de698587b62a4e9d876

Download Submit
\??\c:\windows\SysWOW64\service.dll

Filesize
117KB

MD5
dbcf412932820c77bcef07e29e0284df

SHA1
d6b138c038b86ae3d1363918cc1abd380a5d0ecb

SHA256
e9691b78f7a442acb607951af2cf2a5a6371452366f54b0ddeac6b588a7dff54

SHA512
d6cdfab4c5cd364b9faa5f9e5e4c5cda8fb48af8293dcbcd13908763a2fb5f777d1e59b2e0b1e1c20f23c487be917d9c0a491ab00f002de698587b62a4e9d876

Download Submit
memory/920-133-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download