gh0strat | 78c306a02f8a7e8a0584243301d15aaa311194e8d5c90c33da39951e716e3d3a

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e43d7a5d3e5422e7369143f6b0c461.exe
Size

916KB
MD5

23e43d7a5d3e5422e7369143f6b0c461
SHA1

fab82ebd489b3b6e229f38252c248536f6116a68
SHA256

78c306a02f8a7e8a0584243301d15aaa311194e8d5c90c33da39951e716e3d3a
SHA512

a9a99b49d5a43a3817fefb59da91491eadaf3ec27c932458f5c5361590a40e21b18a4d5e926b56fc37aa4b27c1f5f01e83f3a8b0907c1001368f7be2803beca6
SSDEEP

12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZRJ:iM5j8Z3aKHx5r+TuxX+IwffFZRJ

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014fdd-4.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2112	svchest001465662051.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "c:\\Windows\\notepab.exe"	23e43d7a5d3e5422e7369143f6b0c461.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\Windows\svchest001465662051.exe	23e43d7a5d3e5422e7369143f6b0c461.exe
File opened for modification	\??\c:\Windows\svchest001465662051.exe	23e43d7a5d3e5422e7369143f6b0c461.exe
File created	\??\c:\Windows\notepab.exe	23e43d7a5d3e5422e7369143f6b0c461.exe
File created	\??\c:\Windows\BJ.exe	23e43d7a5d3e5422e7369143f6b0c461.exe
File opened for modification	\??\c:\Windows\BJ.exe	23e43d7a5d3e5422e7369143f6b0c461.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2112	2672	23e43d7a5d3e5422e7369143f6b0c461.exe	28
PID 2672 wrote to memory of 2112	2672	23e43d7a5d3e5422e7369143f6b0c461.exe	28
PID 2672 wrote to memory of 2112	2672	23e43d7a5d3e5422e7369143f6b0c461.exe	28
PID 2672 wrote to memory of 2112	2672	23e43d7a5d3e5422e7369143f6b0c461.exe	28

C:\Users\Admin\AppData\Local\Temp\23e43d7a5d3e5422e7369143f6b0c461.exe
"C:\Users\Admin\AppData\Local\Temp\23e43d7a5d3e5422e7369143f6b0c461.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2672
- \??\c:\Windows\svchest001465662051.exe
  c:\Windows\svchest001465662051.exe
  2⤵
  - Executes dropped EXE
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest001465662051.exe

Filesize
916KB

MD5
23e43d7a5d3e5422e7369143f6b0c461

SHA1
fab82ebd489b3b6e229f38252c248536f6116a68

SHA256
78c306a02f8a7e8a0584243301d15aaa311194e8d5c90c33da39951e716e3d3a

SHA512
a9a99b49d5a43a3817fefb59da91491eadaf3ec27c932458f5c5361590a40e21b18a4d5e926b56fc37aa4b27c1f5f01e83f3a8b0907c1001368f7be2803beca6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads