gh0strat | 2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9

Analysis

max time kernel
36s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/05/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe
Size

84KB
MD5

4bf09b008ef52cef6b3444594e251ea4
SHA1

6a6b2e029f1eaa7efd649ac147d678725dff16b4
SHA256

2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9
SHA512

f45399c62334bfdccc8ce17256e6dd20b34d29378029a1ef0c1d1beae42f7bcc4d19045a56376b9dbb434c6a7f345d1b3bd8b48a441113c32e4cea3b4b351d92
SSDEEP

768:YlTaZhPyrQ0VOFX8bFj7+WMZ5k2bqDNPgwS7QNMttMixnpXZIK2A+q8+GWP9:Um3y0wiXajqWMXkrNPXS7AunpX+K29M

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1900-54-0x0000000002160000-0x00000000021AE000-memory.dmp	family_gh0strat
behavioral1/memory/1900-55-0x0000000010000000-0x0000000010008000-memory.dmp	family_gh0strat
behavioral1/memory/1900-60-0x0000000003000000-0x0000000003140000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³Éý¼¶Ö§³Ö = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe\\2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe"	2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks	2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1900	2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1900	2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe
1900	2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe

C:\Users\Admin\AppData\Local\Temp\2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe
"C:\Users\Admin\AppData\Local\Temp\2d738acd8694aac90741f55be519571b24fe4de3ed4da21554a8651fdbf5f3a9.exe"
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-54-0x0000000002160000-0x00000000021AE000-memory.dmp

Filesize
312KB

Download
memory/1900-55-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1900-60-0x0000000003000000-0x0000000003140000-memory.dmp

Filesize
1.2MB

Download