gh0strat | e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ce27050d9b4c3571df2f71dc5329be9.exe
Size

119KB
MD5

4ce27050d9b4c3571df2f71dc5329be9
SHA1

fe30de46fcd56da7edac8e9b42389f965f5612e1
SHA256

e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675
SHA512

49b5541dac6cd1c9013d24fafbb7f05a2ccff3e6b8f9e3ef87f95a7c9429355d75b21e5705ac1ee18fdbe6fa3ab645c1a4529872a06f57760a8d377853bb7068
SSDEEP

1536:42ldhcpSTZYQT2mw3njOwFRHeTdh9vtNol3FxDf8lBNPcRMHvtulGghoB6ann6Nk:l5/itRjOAaVNENUlBZvPU9u/n6CYW

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_gh0strat
behavioral1/memory/2436-4-0x0000000000400000-0x0000000000441000-memory.dmp	family_gh0strat
behavioral1/files/0x000e000000012247-5.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityexxxx.dll"	4ce27050d9b4c3571df2f71dc5329be9.exe

Deletes itself 1 IoCs

pid	Process
2304	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2304	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityexxxx.dll	4ce27050d9b4c3571df2f71dc5329be9.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

C:\Users\Admin\AppData\Local\Temp\4ce27050d9b4c3571df2f71dc5329be9.exe
"C:\Users\Admin\AppData\Local\Temp\4ce27050d9b4c3571df2f71dc5329be9.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:2436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityexxxx.dll

Filesize
96KB

MD5
253c9193615d7b7db866956a25ef9155

SHA1
4cf5d57eaf3868a5334e40db09120d184430800d

SHA256
005ac66a3185b7d455d9a55de7f68fa50ee00235c0eb327b9e00a331d7e2f9d9

SHA512
c225d6df7a25c59feacf75f0f5c10c74108d8c5b24ff8649173fc76597b38936b09b6bb279122b03e063f53e35843778ce2bc2d299629a1b51776f794e3d18eb

Download Submit
memory/2436-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads