gh0strat | 1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c

Analysis

max time kernel
120s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c.exe
Size

44KB
MD5

dd6caf993bffa5a93484d637b451ecea
SHA1

d386de70061373e0c2f4e008b614ace51e3951ca
SHA256

1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c
SHA512

15ba4fda44925b599f7f704abd1a43a78afccec50e417008bca15f202df7715db9e0c0716dbd0c5db8383fdc6a2e9b09abb5ee0484479a2e68cd766b965339b3
SSDEEP

384:G7fqYtkgX3iVFo1hcUj52ohN2BxE61XcJnsnmltxyntXiZvWd:yfq+iro1httRz2Bu8sJV8d

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1864-0-0x0000000000450000-0x000000000049E000-memory.dmp	family_gh0strat
behavioral1/memory/1864-1-0x0000000010000000-0x0000000010018000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³Éý¼¶Ö§³Ö = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c.exe"	1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1864	1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1864	1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c.exe

C:\Users\Admin\AppData\Local\Temp\1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c.exe
"C:\Users\Admin\AppData\Local\Temp\1bef5fbfb09d25ab14a4c2fdb60d02ec72d6af0534ee159031df63cdb4c8126c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-0-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1864-1-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download