gh0strat | e702e95a6688f624b95fa684bb0629a36f2bd964335e37c12f3b503f4749e09c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183c838f6b937b2cf87cb3e7312cca3f.exe
Size

151KB
MD5

183c838f6b937b2cf87cb3e7312cca3f
SHA1

92ffa7f66fdb360bc0783552d21df35b954d4140
SHA256

e702e95a6688f624b95fa684bb0629a36f2bd964335e37c12f3b503f4749e09c
SHA512

5e418e2a09c12bb132ea965dee58bc2ea7292a972c686f862b4c530efd17cbd54eef0e453ba120385c4409197dfed2280206d237af9b06ab66ee22a6ff1d387e
SSDEEP

3072:o4jNJck9SSSsNM3pQ2FzCBCRMfXkf+KULVPQJ+6Da12VpUeAbB:o4jNJqsNMfQBm6XI+KULFQJ+6Da1YpN

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1636-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_gh0strat
behavioral2/files/0x000600000001e5df-2.dat	family_gh0strat
behavioral2/memory/1636-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_gh0strat
behavioral2/files/0x000600000001e5df-3.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDIS\Parameters\ServiceDll = "C:\\Program Files (x86)\\data.dll"	183c838f6b937b2cf87cb3e7312cca3f.exe

Loads dropped DLL 1 IoCs

pid	Process
2996	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\data.dll	183c838f6b937b2cf87cb3e7312cca3f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1636	183c838f6b937b2cf87cb3e7312cca3f.exe
1636	183c838f6b937b2cf87cb3e7312cca3f.exe
1636	183c838f6b937b2cf87cb3e7312cca3f.exe
1636	183c838f6b937b2cf87cb3e7312cca3f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1636	183c838f6b937b2cf87cb3e7312cca3f.exe
1636	183c838f6b937b2cf87cb3e7312cca3f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1184	1636	183c838f6b937b2cf87cb3e7312cca3f.exe	89
PID 1636 wrote to memory of 1184	1636	183c838f6b937b2cf87cb3e7312cca3f.exe	89
PID 1636 wrote to memory of 1184	1636	183c838f6b937b2cf87cb3e7312cca3f.exe	89

C:\Users\Admin\AppData\Local\Temp\183c838f6b937b2cf87cb3e7312cca3f.exe
"C:\Users\Admin\AppData\Local\Temp\183c838f6b937b2cf87cb3e7312cca3f.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\183c838f6b937b2cf87cb3e7312cca3f.exe"
  2⤵
  PID:1184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\data.dll

Filesize
49KB

MD5
03e70ccf9705e3f32f377cdacd8d7339

SHA1
9817e2f9797188a51c3a48ab3fcb6f999d05bfe4

SHA256
6fa68c0583c79b097a60296bf9d72dcab1770e7e5abdfe2cc3277f4e179d46c0

SHA512
ec417e16712d75d54825dfde2f393a29d3aa910373d92304024b51c5bc9b84b74016975c005167280e3ca58b29e341d42c32d1c40b641106d24800e8775c7dab

Download Submit
\??\c:\program files (x86)\data.dll

Filesize
85KB

MD5
3d73b5462fa91c793801b6c01a8ce63e

SHA1
7271c7c71de5f317afe8f58a5bde3f0f7b73d914

SHA256
bd56a373a0d91b2c51fc833776ac1ca230d3750f09921dd57393911afdf3ad30

SHA512
f44ff275c5ab11f57f5a14e994d5c131adf12680b188e481e1df01fe329d7b34b20f6be985dc7e7eb2804e11036f90b5bcdaacce13a0ce5f62e1d21ba399b7c0

Download Submit
memory/1636-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1636-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download