gh0strat | f0e9dad55ec6cda23b8752b376b3b389b1fa91edead2cd12bb087c433011f4d8

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 15:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3d00c1b9ef43c7a0c163d52dd9e2221.exe
Size

163KB
MD5

d3d00c1b9ef43c7a0c163d52dd9e2221
SHA1

b4b29c8dd68721af36be8ad8b217f6278d7dc911
SHA256

f0e9dad55ec6cda23b8752b376b3b389b1fa91edead2cd12bb087c433011f4d8
SHA512

b19475a347885a61e683b24cd696e54015f58956479d81a60aebd63ee9a3b91c94b8e5235b35e593f77581b88ebd38ac5682e65f9b3e82f5b8a89c794d14f819
SSDEEP

3072:ziufdpZvS+AFsoTs789Rsf8UBeS8qDYAD2ur1:zps9iOBUI56YAJ

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2416-1-0x0000000000400000-0x000000000042A000-memory.dmp	family_gh0strat
behavioral1/files/0x000c000000015cce-14.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1708	259396933_res.scr

Loads dropped DLL 2 IoCs

pid	Process
2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\qmgr.dll	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
File created	C:\Windows\SysWOW64\qmgr.dll	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
File opened for modification	C:\Windows\SysWOW64\qmgr.dll	d3d00c1b9ef43c7a0c163d52dd9e2221.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wi259399024nd.temp	d3d00c1b9ef43c7a0c163d52dd9e2221.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServicePackFiles\i386\qmgr.dll	d3d00c1b9ef43c7a0c163d52dd9e2221.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
Token: SeDebugPrivilege	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
Token: SeDebugPrivilege	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
Token: SeDebugPrivilege	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
Token: SeDebugPrivilege	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
Token: SeDebugPrivilege	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe
Token: SeDebugPrivilege	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1708	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe	28
PID 2416 wrote to memory of 1708	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe	28
PID 2416 wrote to memory of 1708	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe	28
PID 2416 wrote to memory of 1708	2416	d3d00c1b9ef43c7a0c163d52dd9e2221.exe	28

C:\Users\Admin\AppData\Local\Temp\d3d00c1b9ef43c7a0c163d52dd9e2221.exe
"C:\Users\Admin\AppData\Local\Temp\d3d00c1b9ef43c7a0c163d52dd9e2221.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\259396933_res.scr
  "C:\Users\Admin\AppData\Local\Temp\259396933_res.scr" /S
  2⤵
  - Executes dropped EXE
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\file.tmp

Filesize
8.6MB

MD5
ab7c4f97ef93a3ca5e6ef9693f57f2ba

SHA1
436ca2832d72c969a1454e33b8e1ee3ad6816fc2

SHA256
397a0618187560579adae0b6e091da64d4fb8c55846ed6e87384b8c0936893fe

SHA512
68bec2a00a1f0b8e965392df34418b14263478dacfe6e152ec4fd4304e962f5a318b8ba71c2cf6efb1418ecfbad3adda0b7b3079c917b71f8bf3e9ff213324e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\259396933_res.scr

Filesize
8KB

MD5
4df2ff6fe855989f07df2fc76f68f8d5

SHA1
97b57cc2a6551d1515c93afbb6c058c517ad2e93

SHA256
4a58d7c73ebc21cb550a1dda952663bfef3a659c68749db6c9cacfec85fe8850

SHA512
61a120c9d4054b3d7e625f06251eb095d645f04010eaf22bb3102273b026d1f40f1f45f863f3e19c094a6bd4791d8970ec36ba95bad436dee72b2800f9323105

Download Submit
memory/2416-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download