gh0strat | b962af838bdfeaef41404d5c59b9ddc485f146925955f76f1ecc63df24ddf2d7

Analysis

max time kernel
195s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

210709bfa14329c63ff27eed065186f4.exe
Size

787KB
MD5

210709bfa14329c63ff27eed065186f4
SHA1

f759f4a2d3c4537db981d5654ea2e0154e294243
SHA256

b962af838bdfeaef41404d5c59b9ddc485f146925955f76f1ecc63df24ddf2d7
SHA512

828e4cb3e558a6589795edc953feea5c651aa74db098cd943d7381fea5ad3db7bc9082446cdf20b9bce72acf22294c01a55178a7eb06979c1e920b5407399bad
SSDEEP

24576:pjAvvLUuVg1dkmAVxLCoqlFLJHDpnQmxIlho:9AvvLu1y/fLC3tPul

Score

10^/10

gh0strat evasion rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4932-8-0x0000000000400000-0x00000000005B2000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Wine	210709bfa14329c63ff27eed065186f4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4932	210709bfa14329c63ff27eed065186f4.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4932	210709bfa14329c63ff27eed065186f4.exe
4932	210709bfa14329c63ff27eed065186f4.exe
4932	210709bfa14329c63ff27eed065186f4.exe
4932	210709bfa14329c63ff27eed065186f4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	210709bfa14329c63ff27eed065186f4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1880	4932	210709bfa14329c63ff27eed065186f4.exe	94
PID 4932 wrote to memory of 1880	4932	210709bfa14329c63ff27eed065186f4.exe	94
PID 4932 wrote to memory of 1880	4932	210709bfa14329c63ff27eed065186f4.exe	94

C:\Users\Admin\AppData\Local\Temp\210709bfa14329c63ff27eed065186f4.exe
"C:\Users\Admin\AppData\Local\Temp\210709bfa14329c63ff27eed065186f4.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4932-0-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/4932-3-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/4932-4-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/4932-6-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/4932-5-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/4932-8-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download