gh0strat | 98c0d0317cb20daab2ceb8167c6e95eed9b332f1423c79a06d57bca9abb339de

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63934ae4c23ad5c1c1d9c2343dfc3b86.exe
Size

112KB
MD5

63934ae4c23ad5c1c1d9c2343dfc3b86
SHA1

259b53bc64607d6fe2e1aae7e8d5385bf794599e
SHA256

98c0d0317cb20daab2ceb8167c6e95eed9b332f1423c79a06d57bca9abb339de
SHA512

577dd4cf4aa1705648ce12f6762521a0baafb01965b2165995d2c721e8989d502b5da24401253e83bee36196ef232d42bb638149bf86d9dbf1b6a672a7a130cf
SSDEEP

3072:ODkatHZ8t+9kIGexpQeq6+ii3/gpI9rc172Es7HgUJnfHi:wkaj8CkIGkpQeqaiPL+16X7vJnK

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2432-0-0x0000000000400000-0x000000000041F000-memory.dmp	family_gh0strat
behavioral1/memory/2432-3-0x0000000000400000-0x000000000041F000-memory.dmp	family_gh0strat
behavioral1/files/0x000d0000000122f5-2.dat	family_gh0strat
behavioral1/memory/1784-5-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat
behavioral1/memory/1784-6-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\ntuser.dll"	63934ae4c23ad5c1c1d9c2343dfc3b86.exe

Deletes itself 1 IoCs

pid	Process
1784	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1784	svchost.exe

C:\Users\Admin\AppData\Local\Temp\63934ae4c23ad5c1c1d9c2343dfc3b86.exe
"C:\Users\Admin\AppData\Local\Temp\63934ae4c23ad5c1c1d9c2343dfc3b86.exe"
1⤵
- Sets DLL path for service in the registry
PID:2432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\local user\ntuser.dll

Filesize
98KB

MD5
4f682343abc07744dda6cbabc3149957

SHA1
2e8ddc2f5e354d0a80a4c495dca3a53883d67f6d

SHA256
a332930b218ac7549a62e4a5703d83748eb41a5be8bb393ea45592c4b67c13f9

SHA512
e23ee1bb58190b75a52cd3071e63fa2dfd0a187858087fef960924d2fa95469ee1cf415584d86aef6efd21ddbb9d42392729e3fe121daad618a24a1d12750ccb

Download Submit
memory/1784-5-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1784-6-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2432-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2432-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads