gh0strat | 3da21b1f1f4a5d4d90625b00168b498e236e7d65c9436d1b78b200eacfcb6ac7

General

Target

127f5a570b177ff4d6a842f228b3e1da.exe
Size

174KB
MD5

127f5a570b177ff4d6a842f228b3e1da
SHA1

8c335838e4c115c645e2207b3b76f77b7f1a7b49
SHA256

3da21b1f1f4a5d4d90625b00168b498e236e7d65c9436d1b78b200eacfcb6ac7
SHA512

5f822651434ad7febbf4d647757730080dd871f7adc6651963bd021e661bfe5241c9c132add0b99b86578646fac9fdb5806465d2f35bdbb2fa29b602df6db1ba
SSDEEP

3072:VJuGnYhTbK80khbOW1oWOQ1f9xHwm1PXBmXZFeA28pM6EdePl9dehiv80P80CnpZ:VJueTk1OwoWOQ3dwaWB28edeP/deUv8M

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001224e-3.dat	family_gh0strat
behavioral1/files/0x0007000000016558-15.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CDC89E-DF42-420a-8423-590D30E75380}	127f5a570b177ff4d6a842f228b3e1da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39CDC89E-DF42-420a-8423-590D30E75380}\stubpath = "C:\\Windows\\system32\\incvyzsfr.exe"	127f5a570b177ff4d6a842f228b3e1da.exe

Executes dropped EXE 1 IoCs

pid	Process
320	incvyzsfr.exe

Loads dropped DLL 5 IoCs

pid	Process
2316	127f5a570b177ff4d6a842f228b3e1da.exe
320	incvyzsfr.exe
320	incvyzsfr.exe
320	incvyzsfr.exe
2432	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\incvyzsfr.exe	127f5a570b177ff4d6a842f228b3e1da.exe
File created	C:\Windows\SysWOW64\syslog.dat	127f5a570b177ff4d6a842f228b3e1da.exe
File opened for modification	C:\Windows\SysWOW64\incvyzsfr.exe_lang.ini	127f5a570b177ff4d6a842f228b3e1da.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	127f5a570b177ff4d6a842f228b3e1da.exe
320	incvyzsfr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	127f5a570b177ff4d6a842f228b3e1da.exe
Token: SeDebugPrivilege	320	incvyzsfr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	userinit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 320	2316	127f5a570b177ff4d6a842f228b3e1da.exe	28
PID 2316 wrote to memory of 320	2316	127f5a570b177ff4d6a842f228b3e1da.exe	28
PID 2316 wrote to memory of 320	2316	127f5a570b177ff4d6a842f228b3e1da.exe	28
PID 2316 wrote to memory of 320	2316	127f5a570b177ff4d6a842f228b3e1da.exe	28
PID 2316 wrote to memory of 320	2316	127f5a570b177ff4d6a842f228b3e1da.exe	28
PID 2316 wrote to memory of 320	2316	127f5a570b177ff4d6a842f228b3e1da.exe	28
PID 2316 wrote to memory of 320	2316	127f5a570b177ff4d6a842f228b3e1da.exe	28
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29
PID 320 wrote to memory of 2432	320	incvyzsfr.exe	29

C:\Users\Admin\AppData\Local\Temp\127f5a570b177ff4d6a842f228b3e1da.exe
"C:\Users\Admin\AppData\Local\Temp\127f5a570b177ff4d6a842f228b3e1da.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\incvyzsfr.exe
  C:\Windows\system32\incvyzsfr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\259396481_lang.dll

Filesize
122KB

MD5
bde04b872e279942b854f01e5359408a

SHA1
1974bb0189f679d195dff6b3e73b43e07bfbbd10

SHA256
d434b02ef94ec2904b69339c59020162a2bf0c53877844fce0df61c302dec0c7

SHA512
78d82f5514f2e60bd25c1e53b938e5368f0cec2b5929226e510d34a49837ca7cf79a0009fce5627c9f48f91d0eef2a02352acd801beffcf9829c7882c2df9a18

Download Submit
\Windows\SysWOW64\incvyzsfr.exe

Filesize
174KB

MD5
34fec25e0afffbbd64b20532adf0ee9d

SHA1
6fd5105c4066bf504af7c72b06e9f8dd65bf9579

SHA256
b79a487aee90efa54f54ee4414603cb4353ca5b5a989cf588cccf351c323baf0

SHA512
3e5d46a2992f0670b9635e17307e5a90510e4bd0bf17a0b90acc2e63c35da6a43c012b35f1fa3498c42ed69e2169eca1f642511dd4ccdf7b0bce8bbb2f7ce87c

Download Submit
memory/2432-13-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads