gh0strat | 707ffaca98d0e76075ccc7de2ce0253f92ff943b106627307fb56f9c4ede8596

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18bb5adb6e092f2eef067247aa6606bd.exe
Size

125KB
MD5

18bb5adb6e092f2eef067247aa6606bd
SHA1

499334dbbd70e91d207b588204ebe2270e409ba8
SHA256

707ffaca98d0e76075ccc7de2ce0253f92ff943b106627307fb56f9c4ede8596
SHA512

7e4c824b21b1e1fbc8d459b5f3ed9498507d45dc3e7e096edc24cd871cf55fb4585f8e2e3cc07e788d091b68264ebfe1a08d1229606542132d2a359ca68380e1
SSDEEP

3072:zS3i7bVEnOQ5UP6hKRXuS6S9L3e2ta2OMdj3Kx8o0:zSKVEnOQ5UyhZK973aodj6M

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023239-1.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\QQpinyin.dll"	18bb5adb6e092f2eef067247aa6606bd.exe

Deletes itself 1 IoCs

pid	Process
4644	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
4644	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1336	18bb5adb6e092f2eef067247aa6606bd.exe
1336	18bb5adb6e092f2eef067247aa6606bd.exe
1336	18bb5adb6e092f2eef067247aa6606bd.exe
1336	18bb5adb6e092f2eef067247aa6606bd.exe

C:\Users\Admin\AppData\Local\Temp\18bb5adb6e092f2eef067247aa6606bd.exe
"C:\Users\Admin\AppData\Local\Temp\18bb5adb6e092f2eef067247aa6606bd.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\local user\qqpinyin.dll

Filesize
111KB

MD5
2642c6499cd5965adc97bf5667d02428

SHA1
9f88693dda507614bab29a5ba42c6405d93e5fba

SHA256
25ce4655475215d719d17cc21acb6d758276a188c95695edae369a58b666b936

SHA512
0a083df8946ac24abe16e6d26c29144c8c724e178879f912d135093d97bb5c30bcb913ff969ef1abf1a6338b92d8774de3d6119e2e0bb663fa459896b7078d5c

Download Submit