gh0strat | 612026f17b9b51743d4efd22bc27959966daebd9a3406ad26ad3d4f75e0069d5

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43853ca85ff18290cf79f75f4cef429a.exe
Size

125KB
MD5

43853ca85ff18290cf79f75f4cef429a
SHA1

e207a33e99ea811eb1cdb2c22889a13299eafbda
SHA256

612026f17b9b51743d4efd22bc27959966daebd9a3406ad26ad3d4f75e0069d5
SHA512

eae1b114ded54f967f62790782c6ce0b1bf4ba4429c88e998637c2573e35f403c71d8962d79f4428bd1fd85775b3132c65a51af9e8951189111c6b731084d4fd
SSDEEP

3072:yIJ5OnyQxDrhEo2KbZ5sU9Do9dGMkhYkItwTUgcu68O0y:yogyQxPhP2KbP69UFJItSUgc14y

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2640-0-0x0000000000400000-0x0000000000421000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000012281-7.dat	family_gh0strat
behavioral1/files/0x0008000000012281-9.dat	family_gh0strat
behavioral1/memory/2936-10-0x0000000000400000-0x0000000000421000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\System32\\FastUserSwitchingCompatibility.dll"	43853ca85ff18290cf79f75f4cef429a.exe

Deletes itself 1 IoCs

pid	Process
2668	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	43853ca85ff18290cf79f75f4cef429a.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2936	43853ca85ff18290cf79f75f4cef429a.exe
2936	43853ca85ff18290cf79f75f4cef429a.exe
2936	43853ca85ff18290cf79f75f4cef429a.exe
2936	43853ca85ff18290cf79f75f4cef429a.exe
2936	43853ca85ff18290cf79f75f4cef429a.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2936	2640	43853ca85ff18290cf79f75f4cef429a.exe	14
PID 2640 wrote to memory of 2936	2640	43853ca85ff18290cf79f75f4cef429a.exe	14
PID 2640 wrote to memory of 2936	2640	43853ca85ff18290cf79f75f4cef429a.exe	14
PID 2640 wrote to memory of 2936	2640	43853ca85ff18290cf79f75f4cef429a.exe	14

C:\Users\Admin\AppData\Local\Temp\43853ca85ff18290cf79f75f4cef429a.exe
C:\Users\Admin\AppData\Local\Temp\43853ca85ff18290cf79f75f4cef429a.exe
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Users\Admin\AppData\Local\Temp\43853ca85ff18290cf79f75f4cef429a.exe
"C:\Users\Admin\AppData\Local\Temp\43853ca85ff18290cf79f75f4cef429a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
101KB

MD5
146a78dbb292b8ef7bcfe76dcc62ca5b

SHA1
2c3d80e796f4cbbb461aea5d87f12feab0c45088

SHA256
2adc26721025868d101911d82daacc9c6f7b804648b4215b59081f9d51283a93

SHA512
02399def410f8adfb7202782cd26482d9a6ff3261871ecff5858d1bf6e63b0103d5103db688790996b6afb2636cdd6111415cf7b4db45cd8a559ed807965c00f

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
48KB

MD5
2ae3a49f0d201d883af21ca8c2e4db4c

SHA1
4ca9c9d8277feac5a30eb569fb24b65524ca5a78

SHA256
545edc8712d22f35bb54ba1fde61d12981385356c4114ed8ef81d5de9154be99

SHA512
1901514bf0a1dcefdb98642e7206af41afb71099b417fc1ff0222f2402c9a8516ac5b180a2bc489279ce5f51b762c84de54e992335364842ede5a9be59bd57f8

Download Submit
memory/2640-1-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/2640-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download