gh0strat | 49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee

Analysis

max time kernel
117s
max time network
140s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe
Size

4.8MB
MD5

ee78d63e919cb8603b76f900e221e543
SHA1

65f96985bfe97ef6559002a1301e84745bbbfd07
SHA256

49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee
SHA512

f16e2766ae3a498062e0d6d7d6b6e399265098cad556596553fb4842a8efd974e73dad65ddfcae024423a61de50d2a370cb276364b38b00f8f7528f2f4b07573
SSDEEP

49152:BGRl/jveTNl4+4ZzUl+hkr5kgg4+9+BPT8/ptNqI0EezUofk9AI6hlKlCcm8ZSRy:BGRRv+NIK+hkYLNqtKYcmH4lLkuGcf/

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2712-31-0x0000000000900000-0x000000000097B000-memory.dmp	family_gh0strat
behavioral1/memory/2712-48-0x0000000000AD0000-0x0000000000B66000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2712	tapisrv.exe

Loads dropped DLL 3 IoCs

pid	Process
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	tapisrv.exe
File opened (read-only)	\??\R:	tapisrv.exe
File opened (read-only)	\??\T:	tapisrv.exe
File opened (read-only)	\??\H:	tapisrv.exe
File opened (read-only)	\??\L:	tapisrv.exe
File opened (read-only)	\??\P:	tapisrv.exe
File opened (read-only)	\??\Q:	tapisrv.exe
File opened (read-only)	\??\W:	tapisrv.exe
File opened (read-only)	\??\X:	tapisrv.exe
File opened (read-only)	\??\Y:	tapisrv.exe
File opened (read-only)	\??\V:	tapisrv.exe
File opened (read-only)	\??\B:	tapisrv.exe
File opened (read-only)	\??\G:	tapisrv.exe
File opened (read-only)	\??\J:	tapisrv.exe
File opened (read-only)	\??\N:	tapisrv.exe
File opened (read-only)	\??\O:	tapisrv.exe
File opened (read-only)	\??\S:	tapisrv.exe
File opened (read-only)	\??\U:	tapisrv.exe
File opened (read-only)	\??\E:	tapisrv.exe
File opened (read-only)	\??\K:	tapisrv.exe
File opened (read-only)	\??\M:	tapisrv.exe
File opened (read-only)	\??\Z:	tapisrv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tapisrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tapisrv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe
2712	tapisrv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2712	1964	49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe	28
PID 1964 wrote to memory of 2712	1964	49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe	28
PID 1964 wrote to memory of 2712	1964	49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe	28
PID 1964 wrote to memory of 2712	1964	49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe	28

C:\Users\Admin\AppData\Local\Temp\49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe
"C:\Users\Admin\AppData\Local\Temp\49bb3caf733fb1c4b57dce2b4018edcbb6a61c0140aeccacf64746625a34d5ee.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Public\McAfee\tapisrv.exe
  "C:\Users\Public\McAfee\tapisrv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\McAfee\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Users\Public\McAfee\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Public\McAfee\donottrace.txt

Filesize
576KB

MD5
416ae2be922dd1a081fb000e2a8ded0e

SHA1
aaa283eedf87477052a82fad1eb0a176f04e5c7f

SHA256
4e31cec258f725efcb3129dcf5f4c26c6dad867a6630de95b2f7f8fdc4bbc032

SHA512
0595dca9a8e5e65ead12a374e53e2bcc12eeb5e07af717d33cc4d8d736ce17ffe5d3b38415b22dca94d91485403929aef57d39cab407bf8cca02b69d47cbb741

Download Submit
C:\Users\Public\McAfee\libcurl.dll

Filesize
558KB

MD5
81b0085bd2e701a3aa178d9e51fe3016

SHA1
7a2c2aec8d7a6a6a282f09b8f28883b51fe7a005

SHA256
0806be5c1993c9468bae252b5d241d45069c77332a8eb8b9a8b2150b1fe7ffea

SHA512
ee1a5fdabefc4ee86526a33c1b61f25d4d0e74b349fd2e994bdcee3ad33961eb1eb49b9793f8a968902ab6530d25158491747c627cdf33ed3573b9e957ce4971

Download Submit
C:\Users\Public\McAfee\tapisrv.dat

Filesize
61B

MD5
da194a9d2821959906f4001dd06c9808

SHA1
00e574459e1731a4b4cb4a59079298aecc0d9d96

SHA256
0809a900d5f5d8ba07063580cbabeb7d129b17d4e287c20fab511223c1ffb509

SHA512
2d51242602ad33b02b25c8efbcf9479ffa781b91aee100d3c238fe329f6b64fdf8ce28b976757bd98b3123911297ff57f9a6a7afb152e5274d465120f1461458

Download Submit
C:\Users\Public\McAfee\tapisrv.exe

Filesize
678KB

MD5
89c753dfc41e368f0907d3b2ecf46279

SHA1
439e2649923476fbfe9e85a9f3eee0b201e6f1ba

SHA256
354f09fd303d2c339e288f4af5bb1017a5df8c97a67ed3ccd2b85f07d8700972

SHA512
dcc5a5336d8562e2a015aa377c12c8419a3b913e5d567afd08995ff54f67b42956b65ac90c375ad72d39431bbb857010984a0f28c9a2764b1c26c14c915d4f52

Download Submit
C:\Users\Public\McAfee\task.dat

Filesize
78B

MD5
89853ac767a64f24dc573a63ded57204

SHA1
cb2ec00fedd9aec2435c3323726757192634f9a2

SHA256
928a25262df370b93a69bc490950b46a44adbb77d4f2115dcbb3b754544c6410

SHA512
419d5872b0d0dbaa2d30fb6cf697bcddd0fb0e12534b54c289d6bec3e4eb870d05eab3b5f8d0f842a1076ffa470a56676498c23b4d5ebaaf597fda6e224a0b41

Download Submit
\Users\Public\McAfee\libcurl.dll

Filesize
558KB

MD5
81b0085bd2e701a3aa178d9e51fe3016

SHA1
7a2c2aec8d7a6a6a282f09b8f28883b51fe7a005

SHA256
0806be5c1993c9468bae252b5d241d45069c77332a8eb8b9a8b2150b1fe7ffea

SHA512
ee1a5fdabefc4ee86526a33c1b61f25d4d0e74b349fd2e994bdcee3ad33961eb1eb49b9793f8a968902ab6530d25158491747c627cdf33ed3573b9e957ce4971

Download Submit
\Users\Public\McAfee\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
\Users\Public\McAfee\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
memory/2712-28-0x0000000000AD0000-0x0000000000B66000-memory.dmp

Filesize
600KB

Download
memory/2712-29-0x0000000000AD0000-0x0000000000B66000-memory.dmp

Filesize
600KB

Download
memory/2712-31-0x0000000000900000-0x000000000097B000-memory.dmp

Filesize
492KB

Download
memory/2712-48-0x0000000000AD0000-0x0000000000B66000-memory.dmp

Filesize
600KB

Download