gh0strat | 52a9f92b8a3e31a47f1a7625994f8dc01df47851145753a900b25163ddaa8d39

General

Target

0a32003831f93a30d9cd1d83a19bb6cc.exe
Size

1.1MB
MD5

0a32003831f93a30d9cd1d83a19bb6cc
SHA1

3a421566b87e46dee297a689d6b6d58391699914
SHA256

52a9f92b8a3e31a47f1a7625994f8dc01df47851145753a900b25163ddaa8d39
SHA512

85e98f1f7a06d9b12571b722a214a99aae4029fbb687fdef72e822d513eb6220c7062f61eb9c4ed95ca3a6681eb08df27cf4d641e6c72dd914da549be8824c1a
SSDEEP

24576:gl7+zEMipKRX74DAWme8fo9kfKiv2AAJwTp+idGAIPRK8P0N4Zo:a+4MOKRi/0XV2AEE7pIPo8P0Ko

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral1/memory/1992-11-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-9-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-13-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-14-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-20-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-22-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-23-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-26-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-29-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-30-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat
behavioral1/memory/1992-33-0x0000000000400000-0x00000000007DD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1992	123.exe

Loads dropped DLL 2 IoCs

pid	Process
952	0a32003831f93a30d9cd1d83a19bb6cc.exe
1992	123.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a32003831f93a30d9cd1d83a19bb6cc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\V2011.exe	123.exe
File opened for modification	C:\WINDOWS\V2011.exe	123.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1992	123.exe
1992	123.exe
1992	123.exe
1992	123.exe
1992	123.exe
1992	123.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	123.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	123.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1992	952	0a32003831f93a30d9cd1d83a19bb6cc.exe	18
PID 952 wrote to memory of 1992	952	0a32003831f93a30d9cd1d83a19bb6cc.exe	18
PID 952 wrote to memory of 1992	952	0a32003831f93a30d9cd1d83a19bb6cc.exe	18
PID 952 wrote to memory of 1992	952	0a32003831f93a30d9cd1d83a19bb6cc.exe	18
PID 952 wrote to memory of 1992	952	0a32003831f93a30d9cd1d83a19bb6cc.exe	18
PID 952 wrote to memory of 1992	952	0a32003831f93a30d9cd1d83a19bb6cc.exe	18
PID 952 wrote to memory of 1992	952	0a32003831f93a30d9cd1d83a19bb6cc.exe	18

C:\Users\Admin\AppData\Local\Temp\0a32003831f93a30d9cd1d83a19bb6cc.exe
"C:\Users\Admin\AppData\Local\Temp\0a32003831f93a30d9cd1d83a19bb6cc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe

Filesize
84KB

MD5
adc0e092f06b4e53b99a7ee9b03be13e

SHA1
5aacd16a63e046eb505826a654108ac9f44067fe

SHA256
be78ec96054e69470a65c4fa836cbf0de386e5050169260f6b92056aef57d16a

SHA512
4ac98fd13af875129ba99b1033bbff03817a33cbc6bf4685a00b308032de5b13a0e486db32a22526236e5c03a3e03c73a2a3538320e00e24a2295622b00f421f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe

Filesize
151KB

MD5
12cddf1b7e5420c8b1b1f59dd11afb09

SHA1
031f6c262d72e8477835da7c29b01158d6027e64

SHA256
515a9a3052cf5130d23675a88f2db95037fdb048d32adb5c8cb913b495b07b1d

SHA512
7168709d92532296cf69af8bb336409d3c0f2ca4d96999664ea2104bfab8b3530de8effc442859e38ab519d26cb0c5892dd5c58f76b809676d3a19805c11640b

Download Submit
C:\Windows\V2011.exe

Filesize
104KB

MD5
ed94e6b92f7e34648191880c0facfa62

SHA1
84a945ab93007a056141bdce4f9ec6bfde022a41

SHA256
7bf91d51d8cac45ad994115959a59a2e8d2ffaf81ae0f26350720d96efc639aa

SHA512
fad500ee3a5694e046029b16f053e3d271093dad3f5c084c6f0560da1e9c90ec83fa28e3806a4c06659f8b97b504373dbd56fd2fc426382f24c16cab19650618

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe

Filesize
106KB

MD5
ccc72ea79fe5dff79fed853d61fa59d9

SHA1
863a9a08884e5afa62762530258c70aca62d5fc4

SHA256
03a702e4da5b15a13346cde19fa4f7c9a60ee1fece14397f214ac171ce4d5e58

SHA512
caabea09f226820dbb7f8060a6649f2b16f3dd9a7d5a2aa246801063fb36d7b47540c7dc70e2cad16909aaf1119c217fd7128d264f6f5d168e87960ba172b74a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe

Filesize
136KB

MD5
53fb7dba244d03adcf79e180e57df8f2

SHA1
a4249c70253afba762075deddccc436855b3bf27

SHA256
08f69928fb3267ed37bfdf771b85604683c5a58992b8dc8510a65d9fb0b33501

SHA512
c343ba5803b19ed6eb27845863a9b4d8f3f87f782a8313c24c161be6733bb8f9eb5fad5fad68b59f48ee97fcc0b81b6ecdac430cb6215ec73dcac29c0ef20d3f

Download Submit
memory/952-8-0x00000000028F0000-0x0000000002CCD000-memory.dmp

Filesize
3.9MB

Download
memory/952-21-0x00000000028F0000-0x0000000002CCD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-14-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-22-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-12-0x0000000000D50000-0x000000000112D000-memory.dmp

Filesize
3.9MB

Download
memory/1992-9-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-11-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-20-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-10-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-13-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-23-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-24-0x0000000000D50000-0x000000000112D000-memory.dmp

Filesize
3.9MB

Download
memory/1992-26-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-29-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-30-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/1992-33-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads