gh0strat | 36a91eb16f6e147110311584e6d3b39c0e5c4f791c42e46c6175af674c65e9de

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19ed1f40bdd3b351e075af39d3ffa0ae.exe
Size

902KB
MD5

19ed1f40bdd3b351e075af39d3ffa0ae
SHA1

6d20d83656bd4178581dd10df43596ad5f78279b
SHA256

36a91eb16f6e147110311584e6d3b39c0e5c4f791c42e46c6175af674c65e9de
SHA512

9701ca221669e3f23236e9c5be2caf28bd73470e9474e088f26c6383ec12141d1756e33532f8c9705a62109a2306a8cdfa1e60225fb4c5ff4fdee1b37432ae9a
SSDEEP

12288:jt0VPFfsKAkrbPlXhHANUTNqmkupHANUTe:SFksb1Amkuu

Score

10^/10

gh0strat persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2308-11-0x0000000000400000-0x00000000004F1000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2308	(null)0.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral1/files/0x0009000000016176-5.dat	upx
behavioral1/memory/2308-11-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral1/memory/1972-9-0x00000000026A0000-0x0000000002791000-memory.dmp	upx
behavioral1/files/0x0009000000016176-8.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19ed1f40bdd3b351e075af39d3ffa0ae.exe"	19ed1f40bdd3b351e075af39d3ffa0ae.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\(null)0.exe	19ed1f40bdd3b351e075af39d3ffa0ae.exe
File opened for modification	\??\c:\Windows\BJ.exe	19ed1f40bdd3b351e075af39d3ffa0ae.exe
File created	\??\c:\Windows\BJ.exe	19ed1f40bdd3b351e075af39d3ffa0ae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2308	1972	19ed1f40bdd3b351e075af39d3ffa0ae.exe	28
PID 1972 wrote to memory of 2308	1972	19ed1f40bdd3b351e075af39d3ffa0ae.exe	28
PID 1972 wrote to memory of 2308	1972	19ed1f40bdd3b351e075af39d3ffa0ae.exe	28
PID 1972 wrote to memory of 2308	1972	19ed1f40bdd3b351e075af39d3ffa0ae.exe	28

C:\Users\Admin\AppData\Local\Temp\19ed1f40bdd3b351e075af39d3ffa0ae.exe
"C:\Users\Admin\AppData\Local\Temp\19ed1f40bdd3b351e075af39d3ffa0ae.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1972
- \??\c:\Windows\(null)0.exe
  c:\Windows\(null)0.exe
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\(null)0.exe

Filesize
695KB

MD5
11807d0684499ab797117cba9e72aaeb

SHA1
58648e2bc9cd1a865e030b817086f734947da049

SHA256
f079d7ac988f4ab6409a0859f1fb9d3c9fb9c7dabe726af62823141547d9f59e

SHA512
7f8a1d9bfd246a23a1b5089d934fbbef052731437a9ea38bc701c2aa003e806b50e7919e846355780b9de44ecff50dcd7a5bfdb345dd88557dacdfc0e62a1fa5

Download Submit
C:\Windows\(null)0.exe

Filesize
413KB

MD5
01e50e2c4e37b37d5a226f29f3dd22ca

SHA1
2edc62bfe820fefb55fa68db73a15995dcda1f17

SHA256
acb3e010f053d6d4d2d7bf2c15369ccc96423346548972e9955e6176fe0542a0

SHA512
160a5ecf3072286eeff2bcf41958f10f5699f5d170560a1b93777ffd113e2dd30c66f5dd9aaa6154b32fb8aa62e9b162a12269522b51b501ab99ea02b142912f

Download Submit
memory/1972-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1972-12-0x00000000026A0000-0x0000000002791000-memory.dmp

Filesize
964KB

Download
memory/1972-9-0x00000000026A0000-0x0000000002791000-memory.dmp

Filesize
964KB

Download
memory/2308-11-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads