gh0strat | 37fe629b678a189a737a47ee98b711b5e5a2bf1f44b256afa5d7dba8665df269

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe
Size

221KB
MD5

18b08223d3b50c2468ec07af1a87a5f4
SHA1

02db9740c82b8c401fe6d465da6cbf732a1ad5ec
SHA256

37fe629b678a189a737a47ee98b711b5e5a2bf1f44b256afa5d7dba8665df269
SHA512

738320173f06a5d02eb72332c143f019b311f71b45f272b2bc0abccdcfc7e35ab59d37a6a934790ff717a5d55b9e59f9d3b142a48c85d1c92053f860cd995de5
SSDEEP

3072:7QIURTXJ4bzsVBpw6xzGR27Hgqf+eaqLeHgqrviZ27ZlcuLCmKa76sXApYwGC95v:7sUizFxG0zrf+ev6Aq7iszKaGOwfR

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/files/0x00090000000142cc-18.dat	family_gh0strat
behavioral1/files/0x00090000000142cc-20.dat	family_gh0strat
behavioral1/files/0x00090000000142cc-19.dat	family_gh0strat
behavioral1/files/0x00090000000142cc-21.dat	family_gh0strat
behavioral1/files/0x00090000000142cc-22.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2804	rundll32.exe
4	2600	rundll32.exe
6	2804	rundll32.exe
7	2600	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\4PfkjP63\Parameters\ServiceDll = "C:\\Windows\\system32\\RUNnjY.pic"	Thunder.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	Thunder.exe

Loads dropped DLL 9 IoCs

pid	Process
2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe
2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe
2316	Thunder.exe
2316	Thunder.exe
2316	Thunder.exe
2916	svchost.exe
2804	rundll32.exe
2680	svchost.exe
2600	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RUNnjY.pic	Thunder.exe
File opened for modification	C:\Windows\SysWOW64\system.log	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\system.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	Thunder.exe
2316	Thunder.exe
2316	Thunder.exe
2316	Thunder.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2316	Thunder.exe
Token: SeRestorePrivilege	2316	Thunder.exe
Token: SeDebugPrivilege	2916	svchost.exe
Token: SeBackupPrivilege	2804	rundll32.exe
Token: SeSecurityPrivilege	2804	rundll32.exe
Token: SeDebugPrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2600	rundll32.exe
Token: SeSecurityPrivilege	2600	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	rundll32.exe
2600	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2316	2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe	28
PID 2792 wrote to memory of 2316	2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe	28
PID 2792 wrote to memory of 2316	2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe	28
PID 2792 wrote to memory of 2316	2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe	28
PID 2792 wrote to memory of 2316	2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe	28
PID 2792 wrote to memory of 2316	2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe	28
PID 2792 wrote to memory of 2316	2792	VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe	28
PID 2916 wrote to memory of 2804	2916	svchost.exe	30
PID 2916 wrote to memory of 2804	2916	svchost.exe	30
PID 2916 wrote to memory of 2804	2916	svchost.exe	30
PID 2916 wrote to memory of 2804	2916	svchost.exe	30
PID 2916 wrote to memory of 2804	2916	svchost.exe	30
PID 2916 wrote to memory of 2804	2916	svchost.exe	30
PID 2916 wrote to memory of 2804	2916	svchost.exe	30
PID 2680 wrote to memory of 2600	2680	svchost.exe	32
PID 2680 wrote to memory of 2600	2680	svchost.exe	32
PID 2680 wrote to memory of 2600	2680	svchost.exe	32
PID 2680 wrote to memory of 2600	2680	svchost.exe	32
PID 2680 wrote to memory of 2600	2680	svchost.exe	32
PID 2680 wrote to memory of 2600	2680	svchost.exe	32
PID 2680 wrote to memory of 2600	2680	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare-18b08223d3b50c2468ec07af1a87a5f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\Thunder.exe
  "C:\Users\Admin\AppData\Local\Temp\Thunder.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k 4PfkjP63
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\runnjy.pic,main 4PfkjP63
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k 4PfkjP63
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\runnjy.pic,main 4PfkjP63
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
265KB

MD5
78f9c836dc3772d718ed4dfbbb9273b4

SHA1
ee0fb33d6cbcbf949acb4ea71bea2ca405384e58

SHA256
dd5336f57f8dcbb8be5eacf801a7debe8be18ef54104c338831a97e484679ec6

SHA512
0c6b719c1af68d8a6f88d0df235dc2c5e461110795b9c2d909e255948253a832e2fa6337b85ae70823460cf855964d0300892e7fe194083874fe9eb12ae86793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
872KB

MD5
778f5b4481028efdd66ecaf4e80fbbc0

SHA1
7f81fae7e8e4813ef6ea164c0bf99f8d336ffcc0

SHA256
ad9ea3fa66b845926e3a435fb00681897b3597bcf885118849217b89df238fbf

SHA512
ce78d458383bff85602b444025ff3dfd628f07b3ff198377f56f768a58f153e6debc0e8ae12a4b60a29655ad2b0585b500657535797cd2978617910c33cacf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
677KB

MD5
31ca02b8f8fd7a2c4dc8c010c78e6276

SHA1
54e95d0351b1c2a59b4ad99a76681ca7bd1f5a84

SHA256
d1d13fe81c7726014017403ada3e8d3769e89f99370141e0634df546c974e205

SHA512
88747249e01088c23142c09c8f0787312f9055ad3a5e99366ee3a638cb199ed8f8dc31d6dad57461eb6ce3f9f0d24241e72344a640a68c408a9d02bbb4048613

Download Submit
\??\c:\windows\SysWOW64\runnjy.pic

Filesize
289KB

MD5
7cc2f5722c696e71e77754c12782100e

SHA1
d71db126e99f00d195d111053ed2c50e5a50f329

SHA256
3780a6fe7ef8ed3883a70c05d59157e1af1b7e464926966203320b06e1ffbbca

SHA512
57e87fd4004065c3ec5ebf207eaa48e4db559d626652f3e592f80e5f5abe065f30503830caf863ef421352d35d397999e2d47b2be4c2757476bab3a1cd0797be

Download Submit
\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
311KB

MD5
fc528bef440f744a1ce5cfffba934438

SHA1
317064e89296689f5adcb80917462d8f4b97cda8

SHA256
fe98e5354209bdabbcd4e521a1ca554bb0f6a03047816cdfd3c09781064fc633

SHA512
b5b0835bdbabbefb6392fcc8495305451468e40528591993378ce485d001e196cef7a0bdfdaca53ea0c219d3a2a392f7904fc02542517ff969f4bb6527650ff7

Download Submit
\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
463KB

MD5
5649d4d7f97021bdd29ff97256ad0a98

SHA1
87a9a65a63c60ab6b21e115332ffc45f4f186935

SHA256
7eb37b33b84499dbc109db2f98f4bb4c8e597123d40ce60fb038c63c7f56a22f

SHA512
11ca207fa86042c45b28312a6c7d7b1e61e3cc53ca37333bbe386fc5efd852032f14b9daa8013047d696445c2e78b3ef608e1ed985d60f7fc19428da3c9cbef8

Download Submit
\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
315KB

MD5
75f3702cf7eaa83edb1ec5f6911cc8c9

SHA1
98a871c3ca05c942ba2fd2354c7407ae8bbd4434

SHA256
6da845f2f0221530416108c2516cb05dd45c9c9929888f37bb43db87470ef033

SHA512
85aa1b5d8b121403c38d0249a7b12f24f986e8151e49e2d7ccb9887a8b76bded9806d78ab640a75631ead738bfa6872d8fb4e5ab831ae980d465d6c60a84ebb6

Download Submit
\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
817KB

MD5
22e5a00b3027d996132580984a14ed68

SHA1
1d05b91e392fd66e4d3dc1631010f12936f90caa

SHA256
f2e5f4d83d76ff551cded60c1ccb0a43f8b10ab4717457c03e7fbc0e54f66cf1

SHA512
438b2267af606a518a70202776318ede26c86bf5546bc8ab67721bba2f0a3103a4f7ae119fda66bcfd8687f7d6378846bf1baffdddd3a358b9046e57cca3c4d3

Download Submit
\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
563KB

MD5
5458f5222abe079ac6062211acbe684a

SHA1
1890c8582c72a2ddb68446de7db1e4ebe0917fee

SHA256
79b0b3a215217fd504618509a28259413adff29c0e9fb3578ddb6c3d49052d4d

SHA512
2d711d920a19053398866a150fcffaf9e6fdcc59e576142cdad301a1af6ec9ce0d03ad607c77f20bda735574017fd96ed074e7a63a7b0265456f84f3aa27af32

Download Submit
\Windows\SysWOW64\RUNnjY.pic

Filesize
165KB

MD5
a643e6dd79c2c1b082eebb9bc33357f7

SHA1
8852b88d5a48a479e9afabe1d2edc6ce34cf071c

SHA256
878a832e0da8344ae3c29c07bc36afcbcec9f0677d601d32c2302689549c41b7

SHA512
6b84bebf7fd7069395a4b1d9e079686a2bd03612dcde3ed34dc035fd6fef0ffeb4fe83cebbe1a074d5b2c95fa29cbd5d62cfdae5f0ed87e1ce5a800fd2c5b741

Download Submit
\Windows\SysWOW64\RUNnjY.pic

Filesize
141KB

MD5
2b6a5ec26923da49671d634dd5280c11

SHA1
787d8d263c199f7ad1900bd18acfff480a924baf

SHA256
f57947485dec07a2cc432c039cc7988ed002b974711345c096100c37e50a2285

SHA512
6da435304675d9c3aca3c8c728f8e1f6185eafbd512a659dd6ee9646e221a7498191082a851cce30105fa8ca86a6a0ff33207e97998ed9f6ea2d0e5a9b08aa1c

Download Submit
\Windows\SysWOW64\RUNnjY.pic

Filesize
2.9MB

MD5
41804890d3358b014b3de782b910d93e

SHA1
c464d6ef980aee28836bbcc0d941d3772cf085c9

SHA256
e83c2ec89f7dd42b64a7c32c0e7904821ceb910b45ab810683262c81ae5aff2f

SHA512
fb6a75478340ba83fc60618ef8a54f5b5e21d818eb2856e69ee15ffa440c4c77338db5b3f1d6c79325ea4c07224a654854e2dcf76c21a757884bd67c9ea2af27

Download Submit
\Windows\SysWOW64\RUNnjY.pic

Filesize
3.1MB

MD5
8c94cb9e3ede1247a810fe7992d46518

SHA1
c3ec78fde4e983091ebb8aaa0ada4657d48b1295

SHA256
fc98ebda5fa51407e8ef33750f066da6107c04cb65514ed97511258cc31007df

SHA512
2f6287ecb3460ba368dd092b712e0bd56406789f76526792bcd7da4f905988e70dbb3bc7acc356e029b5e5a9a6c27b238c36140e8a6d047cd4572e2d53477257

Download Submit