gh0strat | 1d0128fd3184a765076397dd308e51bbc578a3639cb9c08ab6b5c36704d772b4

Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

28-10-2023 19:29

24-10-2023 13:29

18-10-2023 12:04

07-09-2023 12:10

Analysis

max time kernel
1818s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69.exe
Size

134KB
MD5

98d7c096a603ac2ffdefac004abb202f
SHA1

45e0af760fb41efe844077a44ba546503f0ccec0
SHA256

cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69
SHA512

4c0d8c30a7355202e9c54de788acf975059342553f2e77df61d680ab7138320dcd7d727690254ca43f883ea9ec77426a92d6278fe3645aa2debd0b66396fc30c
SSDEEP

3072:5MGFzCHKSk/7LiVUdx/j9dyTt+WDjNM7YKQo0iS4HTrHd:5MG5CqSk/KVmj9AFMsy0iS4p

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral27/memory/556-0-0x0000000000400000-0x0000000000423000-memory.dmp	family_gh0strat
behavioral27/files/0x0008000000023233-2.dat	family_gh0strat
behavioral27/memory/556-4-0x0000000000400000-0x0000000000423000-memory.dmp	family_gh0strat
behavioral27/files/0x0008000000023233-3.dat	family_gh0strat
behavioral27/memory/1512-5-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral27/memory/1512-6-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\windmx.dll"	cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69.exe

Deletes itself 1 IoCs

pid	Process
1512	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1512	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
556	cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69.exe
556	cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69.exe

C:\Users\Admin\AppData\Local\Temp\cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69.exe
"C:\Users\Admin\AppData\Local\Temp\cb0f8c9180b92b75f130ecdd9fd42fa9c687796313cc968179d1c9b217c65e69.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Local User\windmx.dll

Filesize
118KB

MD5
921b325689869d0200e704316d59ba99

SHA1
9812cbad4079be3f794f620b5c2bfaf539408d95

SHA256
a52eb338a92b20eabaf17bd45248c9bc7a6417f31b679767ec8d1597de3812a1

SHA512
c5e05d3c4c19147238d0192eb01eb19e6f9368b6a986249cb2c3d19eb29f095b3450c6240eabccf7d98bc38ff463d677f5ebc73d85be8dac75e5585755543c84

Download Submit
\??\c:\documents and settings\local user\windmx.dll

Filesize
118KB

MD5
921b325689869d0200e704316d59ba99

SHA1
9812cbad4079be3f794f620b5c2bfaf539408d95

SHA256
a52eb338a92b20eabaf17bd45248c9bc7a6417f31b679767ec8d1597de3812a1

SHA512
c5e05d3c4c19147238d0192eb01eb19e6f9368b6a986249cb2c3d19eb29f095b3450c6240eabccf7d98bc38ff463d677f5ebc73d85be8dac75e5585755543c84

Download Submit
memory/556-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/556-4-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1512-5-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1512-6-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download