gh0strat | 11cc9769e39533d167c907b9d64644b1814e83fdf32b0b71731ff7bd2490d4f4

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a6b126816a5d56d0718faac25199b8.exe
Size

130KB
MD5

d5a6b126816a5d56d0718faac25199b8
SHA1

95675d1c804d6a4e3dc3e660ea13d5ebcb444e59
SHA256

11cc9769e39533d167c907b9d64644b1814e83fdf32b0b71731ff7bd2490d4f4
SHA512

499dae26a065be82f8166995c8a190fb8110b3efbac0c772eabf8f78dbdb0b9987ec0e8480da420de2680a7590917bdcfca0329c31cba73b685e8d323b7d6183
SSDEEP

3072:U2kiTCHGakO614R51OfUTiWUmdsONtAqGEefX:ULiTCHGaZ6c17NUmKoCqJQX

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/3704-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral2/memory/3704-21-0x0000000000400000-0x0000000000422000-memory.dmp	family_gh0strat
behavioral2/files/0x000b00000002326c-19.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Rspdates Apxplicatioanjrq\Parameters\ServiceDll	d5a6b126816a5d56d0718faac25199b8.exe

Loads dropped DLL 1 IoCs

pid	Process
2716	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\FuckYou.reg	d5a6b126816a5d56d0718faac25199b8.exe
File opened for modification	C:\Windows\MyInformations.ini	d5a6b126816a5d56d0718faac25199b8.exe
File created	C:\Windows\FuckYou.txt	d5a6b126816a5d56d0718faac25199b8.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2132	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3704	d5a6b126816a5d56d0718faac25199b8.exe
3704	d5a6b126816a5d56d0718faac25199b8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3704	d5a6b126816a5d56d0718faac25199b8.exe
Token: SeRestorePrivilege	3704	d5a6b126816a5d56d0718faac25199b8.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	2716	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 2132	3704	d5a6b126816a5d56d0718faac25199b8.exe	97
PID 3704 wrote to memory of 2132	3704	d5a6b126816a5d56d0718faac25199b8.exe	97
PID 3704 wrote to memory of 2132	3704	d5a6b126816a5d56d0718faac25199b8.exe	97
PID 2716 wrote to memory of 3944	2716	svchost.exe	102
PID 2716 wrote to memory of 3944	2716	svchost.exe	102
PID 2716 wrote to memory of 3944	2716	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\d5a6b126816a5d56d0718faac25199b8.exe
"C:\Users\Admin\AppData\Local\Temp\d5a6b126816a5d56d0718faac25199b8.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im ZhuDongFangYu.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2132

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\SysWOW64\svchost.exe,main
  2⤵
  PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MyInformations.ini

Filesize
390B

MD5
ba767485bc863307849092f51f04badf

SHA1
5b314e6f2054f0bdf6ace0d59e858660e000a789

SHA256
a23d0047732880af55ab9618e9bbc3eb4ce5e173c2f83e3e8056ee8e9497387e

SHA512
bd26ad713ef3528e0ef717c99c28343a3c8922534f01ca78122609e287ad4a05b0ed889c22a133d5815f61321e09f58cb3a75200f49793e8bc243a1416425777

Download Submit
\??\c:\windows\SysWOW64\tasklist.dll

Filesize
115KB

MD5
307b2a81c0f6835484d436443cd30d4a

SHA1
2c393dfb9594f50b01e4d3410a3a66463d1e0b96

SHA256
9711375dea2e0d6fd7569dd0a5e9ff2e3a8c96c12116ad8103c36095197ba451

SHA512
6beb77f15122143e6e7a79ba503e7ae2aa98d7978ccc1b9168686a686e12a336bc1da2501cd64e5c2fbfdc5e2cf8afdd49ce6372e82d67a138121d916860eaa7

Download Submit
memory/3704-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3704-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download