gh0strat | 39cf1a5196ab7f8fca7214dd0736a05d9543000e0d8602504fd7655b6010bde1

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000f46861ea7bc4f28e9dd5e0a4f6a2c.exe
Size

535KB
MD5

000f46861ea7bc4f28e9dd5e0a4f6a2c
SHA1

7ceaf0e413c29eba099b6338e239bff60718819f
SHA256

39cf1a5196ab7f8fca7214dd0736a05d9543000e0d8602504fd7655b6010bde1
SHA512

409509398ab3d6b4dd006412341b40fe52bb517278bf434110f34abaf30cddd35a2180925b19dea8ceed0caddb9843b237762e6a723ef24e7ada2e9a2c4c1a1c
SSDEEP

12288:q08PKZVQQxfnr+TK7r79/J0NWNf37JcAayM5ahHjO:t8AVQQxfnr+TK7r79/J0ofrJEyM5ahDO

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000140fb-4.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2896	(null)0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\000f46861ea7bc4f28e9dd5e0a4f6a2c.exe"	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\(null)0.exe	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe
File opened for modification	\??\c:\Windows\BJ.exe	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe
File created	\??\c:\Windows\BJ.exe	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2896	1256	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe	28
PID 1256 wrote to memory of 2896	1256	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe	28
PID 1256 wrote to memory of 2896	1256	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe	28
PID 1256 wrote to memory of 2896	1256	000f46861ea7bc4f28e9dd5e0a4f6a2c.exe	28

C:\Users\Admin\AppData\Local\Temp\000f46861ea7bc4f28e9dd5e0a4f6a2c.exe
"C:\Users\Admin\AppData\Local\Temp\000f46861ea7bc4f28e9dd5e0a4f6a2c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1256
- \??\c:\Windows\(null)0.exe
  c:\Windows\(null)0.exe
  2⤵
  - Executes dropped EXE
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\(null)0.exe

Filesize
535KB

MD5
000f46861ea7bc4f28e9dd5e0a4f6a2c

SHA1
7ceaf0e413c29eba099b6338e239bff60718819f

SHA256
39cf1a5196ab7f8fca7214dd0736a05d9543000e0d8602504fd7655b6010bde1

SHA512
409509398ab3d6b4dd006412341b40fe52bb517278bf434110f34abaf30cddd35a2180925b19dea8ceed0caddb9843b237762e6a723ef24e7ada2e9a2c4c1a1c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads