gh0strat | c9a95f7f47b3eae61b7e69aaca8b371307ff3f500f5fdec142480c0a3a917638

General

Target

20632e3f3c17863bc3f6d7649e738c5d.exe
Size

382KB
MD5

20632e3f3c17863bc3f6d7649e738c5d
SHA1

a54f37f084078bf8cc3556bd3a1f112e0cebe78c
SHA256

c9a95f7f47b3eae61b7e69aaca8b371307ff3f500f5fdec142480c0a3a917638
SHA512

9294a06617237b26fb8c0f50173099bf387e8bfdcb065ee01dcbd28323eb9780a76ad0e75f78d1845f23e462d3cb77f554e1c3dee879291aa4288f2bb5072a1a
SSDEEP

6144:v9QdThQbbQhzfytCnF2idZecnl20lHRxp3glWmhEgRV8Bl7Md8tHoCO+bP1cFBWT:1ETWyzatCFF3Z4mxxyD0hxg+bPCBh0

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1264-37-0x0000000000400000-0x0000000000470000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility32.dll"	20632e3f3c17863bc3f6d7649e738c5d.exe

C:\Users\Admin\AppData\Local\Temp\20632e3f3c17863bc3f6d7649e738c5d.exe
"C:\Users\Admin\AppData\Local\Temp\20632e3f3c17863bc3f6d7649e738c5d.exe"
1⤵
- Sets DLL path for service in the registry
PID:1264

C:\Windows\System32\svchost.exe
C:\Windows\\System32\\svchost.exe -k netsvcs
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1264-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1264-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1264-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1264-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1264-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1264-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1264-7-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1264-8-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1264-9-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1264-10-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/1264-11-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1264-12-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1264-14-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1264-13-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1264-15-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1264-16-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1264-17-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1264-18-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1264-19-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/1264-20-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1264-21-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1264-22-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1264-23-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/1264-24-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1264-25-0x0000000003180000-0x0000000003182000-memory.dmp

Filesize
8KB

Download
memory/1264-26-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/1264-27-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1264-28-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1264-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1264-30-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1264-31-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1264-32-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1264-33-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/1264-34-0x0000000003170000-0x0000000003173000-memory.dmp

Filesize
12KB

Download
memory/1264-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1264-38-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads