gh0strat | a70b0835b024da06ae9deb6f667b81113f060241f145c2a71f1f9a2b838fb826

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 17:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bb52eb14b2b30f81854c3114d7839dd.exe
Size

109KB
MD5

0bb52eb14b2b30f81854c3114d7839dd
SHA1

3cf6ed8efc69fb3bd3e787350b27c4325821a6c5
SHA256

a70b0835b024da06ae9deb6f667b81113f060241f145c2a71f1f9a2b838fb826
SHA512

5428e7713c24d90ee9fd59b61d97dacfe11f04ec926ae3ba2a1afe9c4a63076d5cdc39b4554e90376fccf91cb5b224856c5e6cd2ea7843c34fa708f977e8e74d
SSDEEP

3072:uus2d+oIsHPQ3sPWpXwhlSzmw89YRbJP7ose:uAd5XPssNazfmYRdPEse

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001f45f-4.dat	family_gh0strat
behavioral2/files/0x000400000001f45f-3.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\beep.sys	0bb52eb14b2b30f81854c3114d7839dd.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	0bb52eb14b2b30f81854c3114d7839dd.exe

Loads dropped DLL 1 IoCs

pid	Process
3264	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	0bb52eb14b2b30f81854c3114d7839dd.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1896	2080	0bb52eb14b2b30f81854c3114d7839dd.exe	21
PID 2080 wrote to memory of 1896	2080	0bb52eb14b2b30f81854c3114d7839dd.exe	21
PID 2080 wrote to memory of 1896	2080	0bb52eb14b2b30f81854c3114d7839dd.exe	21

C:\Users\Admin\AppData\Local\Temp\0bb52eb14b2b30f81854c3114d7839dd.exe
"C:\Users\Admin\AppData\Local\Temp\0bb52eb14b2b30f81854c3114d7839dd.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0bb52eb14b2b30f81854c3114d7839dd.exe"
  2⤵
  PID:1896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll

Filesize
81KB

MD5
ff4831f0b15125960b079b16a259375c

SHA1
52af7ac2e49460450ff76634120100988bd53b5c

SHA256
c523f34c0ee60e11493a54e1220d97e2bcd0aac2b2e3d26f2a00e9662c5e1f8d

SHA512
56fae33bb5e418e95fd03c4f3ad7275b7f1344fb224dbecb53497ce83bd71731877003dee18b7204d8adcaebfbc91133f90ac1a2754827ad74c5e99d7b2ea81b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads