gh0strat | 79f591906e20fb71c33f80f56950788b37387917664cc5bf3d4e3304a972de63

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f0285924d4ba0a5c9c145c4a4855b9f.exe
Size

109KB
MD5

7f0285924d4ba0a5c9c145c4a4855b9f
SHA1

24187d9db3900f412fcd828a8315ebfb4cd16e47
SHA256

79f591906e20fb71c33f80f56950788b37387917664cc5bf3d4e3304a972de63
SHA512

d7173e0d8c53e3181012bbf79286e8028ee5bf76e27aa2d9cbae9084373184f987cf3832e2ec23534fa70d4cf98a305ae8e2784272bd5787d77539ff28d3ed4b
SSDEEP

3072:FzLhl6yDAdwgRes1WTFFyr2JQavhFrDidlvUIW:Fvhl6yDAdwgReqWc7OF3WFUIW

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4500-0-0x0000000000400000-0x000000000041D000-memory.dmp	family_gh0strat
behavioral2/memory/3696-5-0x0000000010000000-0x000000001001A000-memory.dmp	family_gh0strat
behavioral2/files/0x000700000002320e-4.dat	family_gh0strat
behavioral2/memory/4500-3-0x0000000000400000-0x000000000041D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\twain.dll"	7f0285924d4ba0a5c9c145c4a4855b9f.exe

Deletes itself 1 IoCs

pid	Process
3696	SVCHOST.EXE

Loads dropped DLL 1 IoCs

pid	Process
3696	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4500	7f0285924d4ba0a5c9c145c4a4855b9f.exe
4500	7f0285924d4ba0a5c9c145c4a4855b9f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	7f0285924d4ba0a5c9c145c4a4855b9f.exe

C:\Users\Admin\AppData\Local\Temp\7f0285924d4ba0a5c9c145c4a4855b9f.exe
"C:\Users\Admin\AppData\Local\Temp\7f0285924d4ba0a5c9c145c4a4855b9f.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\SysWOW64\SVCHOST.EXE
C:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS -s FastUserSwitchingCompatibility
1⤵
- Deletes itself
- Loads dropped DLL
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Local User\twain.dll

Filesize
93KB

MD5
29bc3b1e6e4f5166681b9e7868dcb7b9

SHA1
374fa92755210b4b8a594b2b0ed4cd3f8d675c4e

SHA256
f6562601e220df64ddb256dac05cbf2a35383b998706066dddf5d6bfc2d70f19

SHA512
f2f1929b4f095716c2e65fffbf1c75b2011a721461e629370ba34f476296b669b0148a09faf43d87b6e5dfc24a250839ca7d46adf3b59373ac91669e49f747a2

Download Submit
memory/3696-5-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/4500-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4500-3-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download