gh0strat | e702e95a6688f624b95fa684bb0629a36f2bd964335e37c12f3b503f4749e09c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 23:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

183c838f6b937b2cf87cb3e7312cca3f.exe
Size

151KB
MD5

183c838f6b937b2cf87cb3e7312cca3f
SHA1

92ffa7f66fdb360bc0783552d21df35b954d4140
SHA256

e702e95a6688f624b95fa684bb0629a36f2bd964335e37c12f3b503f4749e09c
SHA512

5e418e2a09c12bb132ea965dee58bc2ea7292a972c686f862b4c530efd17cbd54eef0e453ba120385c4409197dfed2280206d237af9b06ab66ee22a6ff1d387e
SSDEEP

3072:o4jNJck9SSSsNM3pQ2FzCBCRMfXkf+KULVPQJ+6Da12VpUeAbB:o4jNJqsNMfQBm6XI+KULFQJ+6Da1YpN

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/660-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_gh0strat
behavioral1/memory/660-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000012252-3.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDIS\Parameters\ServiceDll = "C:\\Program Files (x86)\\data.dll"	183c838f6b937b2cf87cb3e7312cca3f.exe

Deletes itself 1 IoCs

pid	Process
1760	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1740	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\data.dll	183c838f6b937b2cf87cb3e7312cca3f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
660	183c838f6b937b2cf87cb3e7312cca3f.exe
660	183c838f6b937b2cf87cb3e7312cca3f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
660	183c838f6b937b2cf87cb3e7312cca3f.exe
660	183c838f6b937b2cf87cb3e7312cca3f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1760	660	183c838f6b937b2cf87cb3e7312cca3f.exe	30
PID 660 wrote to memory of 1760	660	183c838f6b937b2cf87cb3e7312cca3f.exe	30
PID 660 wrote to memory of 1760	660	183c838f6b937b2cf87cb3e7312cca3f.exe	30
PID 660 wrote to memory of 1760	660	183c838f6b937b2cf87cb3e7312cca3f.exe	30

C:\Users\Admin\AppData\Local\Temp\183c838f6b937b2cf87cb3e7312cca3f.exe
"C:\Users\Admin\AppData\Local\Temp\183c838f6b937b2cf87cb3e7312cca3f.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\183c838f6b937b2cf87cb3e7312cca3f.exe"
  2⤵
  - Deletes itself
  PID:1760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\data.dll

Filesize
112KB

MD5
ed43ceabd0094e3b34b3aa5cdec10aa5

SHA1
73176af824daca4b91f79d37cba13ad644967b2b

SHA256
ae22c6f6f4e1fc5ffdbfee6b9a66d0c74b81c9b64668acea1d7b9fd67803062a

SHA512
6af10143cdc0bc47c1fa815d52d2e960e0b144fb7cea350849a306cf21ab8aa1d2c5dca82441446def2e5efbf543434377b4091fb2d6ab5fe7dd212a81082dbc

Download Submit
memory/660-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/660-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download