gh0strat | 7a44b15786cc731bc1bca9a1765bb4997ac7fce3c684ae1aa5dcd18e686936fd

General

Target

3f716c25e7df8ce2fc0274e25020e9e5.exe
Size

124KB
MD5

3f716c25e7df8ce2fc0274e25020e9e5
SHA1

5db0dc65a755898203c110bf139f677fe61be3e1
SHA256

7a44b15786cc731bc1bca9a1765bb4997ac7fce3c684ae1aa5dcd18e686936fd
SHA512

1b9bd43d3c7c774ce54a25430ccd87ee2e81dc3537e1917eb44712e80114bfbd12d7fc5cc4361d2e3a21433aa15cf9529cdf927d85150b82ad3225db074f1adc
SSDEEP

3072:sswzCxfRbmdkIXs2+4fiKwjsb1Fe4U8Q2aSn95:+zwdmdtX/KKWsb1pYs95

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e7e3-11.dat	family_gh0strat
behavioral2/memory/4636-22-0x0000000000400000-0x000000000042E77B-memory.dmp	family_gh0strat
behavioral2/files/0x000300000001e7ec-21.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdt.sys	3f716c25e7df8ce2fc0274e25020e9e5.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	tempdir.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	tempdir.exe

Executes dropped EXE 1 IoCs

pid	Process
4636	tempdir.exe

Loads dropped DLL 2 IoCs

pid	Process
4636	tempdir.exe
1396	svchost.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1568-0-0x0000000000400000-0x0000000000442000-memory.dmp	vmprotect
behavioral2/memory/1568-13-0x0000000000400000-0x0000000000442000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	tempdir.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 4636	1568	3f716c25e7df8ce2fc0274e25020e9e5.exe	91
PID 1568 wrote to memory of 4636	1568	3f716c25e7df8ce2fc0274e25020e9e5.exe	91
PID 1568 wrote to memory of 4636	1568	3f716c25e7df8ce2fc0274e25020e9e5.exe	91

C:\Users\Admin\AppData\Local\Temp\3f716c25e7df8ce2fc0274e25020e9e5.exe
"C:\Users\Admin\AppData\Local\Temp\3f716c25e7df8ce2fc0274e25020e9e5.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\tempdir.exe
  C:\Users\Admin\AppData\Local\Temp\tempdir.exe
  2⤵
  - Drops file in Drivers directory
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:4636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
95KB

MD5
c3c68e29118de190c10c26175164b25e

SHA1
7abcfa9a9b87e2dd52c9d7dc52017b0dc94c5eca

SHA256
b536f46337b0a5ba06a20fb9dbe47f2d779c1c0f7683b1185a647efce1191d31

SHA512
53e55a61b1266d2a66f5c7ecf177293411f54d845e94176332539b46fd4dcb057beffc2f8c6888621ca12cefe8253408708de894b177bc64356a1e0adb962586

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempdir.exe

Filesize
50KB

MD5
659cdc570b7e2a0b2b489442e2f89e49

SHA1
65fc9f2cfdbd254cc0931a1346cdb7ef4b3dd9f8

SHA256
ced8b1bb0cd38391f34cf348a495708cd0596991aa31d8a5cfdf2ef9d0c2f050

SHA512
98a0117f05489995394f7e32005d74652b75bf64533b8c61c43106a1dadc1c704b30dbeaea58cae36b6b728cfb36d089536a97a95ab6f723e854c6113a659e2a

Download Submit
C:\Windows\SysWOW64\install.tmp

Filesize
45B

MD5
892c7552aec2c2f02d1b1d59b4652483

SHA1
a4a466cab59f02810a8c389298fc8e28870eeff2

SHA256
3d3d2111300afb78931cf172f516a34a6c49a0c65db7060a504991b72c70bf1b

SHA512
53ca994d8b509e00c2ab097bf65fe32e93d14751ae0b46ccd7a8b52607dde0297beeef4c16b5f11116c8785e39d3021ef7e4041a9d0c92160c04c4dd26a6c920

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll

Filesize
95KB

MD5
2d9fb598db8f2eabfb8114f803b7664d

SHA1
4eeae3474be1c999f07152a62c6a4b8d4b06b81a

SHA256
367e2ceabed8aa44d92febf26d8010663393e004f9fcbc617d7f29ff9b2d1d4e

SHA512
ebae22aaf51abb3dc47b79b94f2597873694c9e477ff0861bc3ac01c8c14d82f7297009d80f072b227e00630b94e7e0ae1476b512608ff700fc1d3969e270d02

Download Submit
memory/1568-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1568-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-6-0x0000000000400000-0x000000000042E77B-memory.dmp

Filesize
185KB

Download
memory/4636-7-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4636-22-0x0000000000400000-0x000000000042E77B-memory.dmp

Filesize
185KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads