gh0strat | 0e0cf649a9677b86d41b380e00e7b5a3fc86733cdd2d27baf32c29081011a7b5

Analysis

max time kernel
175s
max time network
177s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e902d89b285f81cef5e2e9a2782cd7.exe
Size

336KB
MD5

53e902d89b285f81cef5e2e9a2782cd7
SHA1

369080a95b2dbe23f935febec7b5eda02247de09
SHA256

0e0cf649a9677b86d41b380e00e7b5a3fc86733cdd2d27baf32c29081011a7b5
SHA512

03321a6e9e2d43a79123c6758d0daf5712fe981db86f61c18cd4f82d65f78648e4a855c13bde17b109e69c7d89c939ed0c8c1fddba6e170bbec57676006ff901
SSDEEP

6144:YC3Dee6eDksOFilfPuE857FpY4lpeUaKcOwMrSv2dpCrnG+mxUYUnvI/:4CDksoilfPzI7fY4XeEjrSv2EG3/kva

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012270-6.dat	family_gh0strat
behavioral1/files/0x0009000000012270-11.dat	family_gh0strat
behavioral1/files/0x0009000000012270-10.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	2908	rundll32.exe
5	2908	rundll32.exe
6	2908	rundll32.exe
7	2908	rundll32.exe
8	2908	rundll32.exe
9	2908	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Net Logon Framework\Parameters\ServiceDll = "C:\\Windows\\system32\\mtf76ab0em.dll"	53e902d89b285f81cef5e2e9a2782cd7.exe

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2408	53e902d89b285f81cef5e2e9a2782cd7.exe
2880	svchost.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mtf76ab0em.dll	53e902d89b285f81cef5e2e9a2782cd7.exe
File created	C:\Windows\SysWOW64\mtf76ab0em.dll	53e902d89b285f81cef5e2e9a2782cd7.exe
File opened for modification	C:\Windows\SysWOW64\RCXAD5F.tmp	53e902d89b285f81cef5e2e9a2782cd7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadNetworkName = "Network 3"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecisionTime = c0295f779938da01	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecisionTime = c0295f779938da01	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\ba-c8-60-1a-85-69	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecisionTime = a021e6279938da01	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecisionReason = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecisionReason = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDetectedUrl	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecisionTime = a021e6279938da01	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2408	53e902d89b285f81cef5e2e9a2782cd7.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2408	53e902d89b285f81cef5e2e9a2782cd7.exe
2408	53e902d89b285f81cef5e2e9a2782cd7.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2764	2408	53e902d89b285f81cef5e2e9a2782cd7.exe	30
PID 2408 wrote to memory of 2764	2408	53e902d89b285f81cef5e2e9a2782cd7.exe	30
PID 2408 wrote to memory of 2764	2408	53e902d89b285f81cef5e2e9a2782cd7.exe	30
PID 2408 wrote to memory of 2764	2408	53e902d89b285f81cef5e2e9a2782cd7.exe	30
PID 2880 wrote to memory of 2908	2880	svchost.exe	32
PID 2880 wrote to memory of 2908	2880	svchost.exe	32
PID 2880 wrote to memory of 2908	2880	svchost.exe	32
PID 2880 wrote to memory of 2908	2880	svchost.exe	32
PID 2880 wrote to memory of 2908	2880	svchost.exe	32
PID 2880 wrote to memory of 2908	2880	svchost.exe	32
PID 2880 wrote to memory of 2908	2880	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\53e902d89b285f81cef5e2e9a2782cd7.exe
"C:\Users\Admin\AppData\Local\Temp\53e902d89b285f81cef5e2e9a2782cd7.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\53e902d89b285f81cef5e2e9a2782cd7.exe"
  2⤵
  - Deletes itself
  PID:2764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Net Logon Framework"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\mtf76ab0em.dll, wince
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\mtf76ab0em.dll

Filesize
37KB

MD5
df4ddce8bb885ad35fabdd394139e92a

SHA1
528e659a788eb4808f7d8668d3c169343ccc8dc0

SHA256
52a5f2f95ea9ec37d7f3edba25f7fb14a9efa4f71922ef74a3445a8e423ab8c1

SHA512
90d3490d545c1f78de1aece3b5466530d57c6854d41956fe3ef237e5044e2545eb4ff3649f6ec08e5b3c608008994c61d614391a2f51e7bb89941baccddd15a8

Download Submit
\Windows\SysWOW64\mtf76ab0em.dll

Filesize
19KB

MD5
b97ea6e0c952cdfeacb2a5bc1ca94601

SHA1
f4f7f2fe986a1d99d12e495db5049b841d23a8a1

SHA256
9ece5b692941ea765ed1261a948ad0b87587a4135114de922464b45cb988ec9f

SHA512
5c2365b88a7f0335bdeea6f901a7975f93a04df1f03e44fd661da90f5fab3a5e401a7b81255cdd5b7e2ccc9f36fb759edcc8f11f39812b981632c5ff1d20882e

Download Submit
\Windows\SysWOW64\mtf76ab0em.dll

Filesize
237KB

MD5
9f16b5334ca188ee93fae45197813288

SHA1
8c573d3ed4f46e10599a90e50d928b795d02a35e

SHA256
dbce55a6313d67fa564fc2c758085ec1c2158f18860a561b586bec0b1972702a

SHA512
e5426db3355b2a05a71158569adf9c04ed8111f18d7cd4b3ef87944294ad4242d183a4faef304a7996d3251846ee1d13115ccc0f370e42354b4142f276bdccff

Download Submit