Malware Analysis Report

2025-08-05 21:58

Sample ID 240428-qg2acaha4s
Target c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99
SHA256 c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99
Tags
gh0strat evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99

Threat Level: Known bad

The file c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99 was found to be: Known bad.

Malicious Activity Summary

gh0strat evasion trojan

Gh0st RAT payload

Gh0strat family

UAC bypass

Blocklisted process makes network request

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 13:14

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 13:14

Reported

2024-04-28 13:17

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#1

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2216 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2216 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2216 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2216 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2216 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2216 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2216 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#1

C:\Windows\SysWOW64\cmd.exe

cmd /C regedit /s Uac.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s Uac.reg

Network

Country Destination Domain Proto
TH 222.123.29.129:443 tcp
US 8.8.8.8:53 sx.statedialect.top udp
JP 160.251.203.213:65531 sx.statedialect.top tcp
TH 222.123.29.129:443 tcp
JP 160.251.203.213:65531 sx.statedialect.top tcp
TH 222.123.29.129:443 tcp
JP 160.251.203.213:65531 sx.statedialect.top tcp
TH 222.123.29.129:443 tcp
JP 160.251.203.213:65531 sx.statedialect.top tcp
TH 222.123.29.129:443 tcp
JP 160.251.203.213:65531 sx.statedialect.top tcp

Files

C:\Users\Admin\AppData\Local\Temp\Uac.reg

MD5 3259410b95978a44d4a95a1d1815cc6d
SHA1 26d3928a81f9d754c7991673c6b856652ce38f98
SHA256 182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5
SHA512 44b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 13:14

Reported

2024-04-28 13:17

Platform

win10v2004-20240419-en

Max time kernel

146s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#1

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\regedit.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#1

C:\Windows\SysWOW64\cmd.exe

cmd /C regedit /s Uac.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s Uac.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
TH 222.123.29.129:443 tcp
US 8.8.8.8:53 sx.statedialect.top udp
US 8.8.8.8:53 g.bing.com udp
TH 222.123.29.129:443 tcp
US 8.8.8.8:53 sx.statedialect.top udp
TH 222.123.29.129:443 tcp
US 8.8.8.8:53 sx.statedialect.top udp
TH 222.123.29.129:443 tcp
US 8.8.8.8:53 sx.statedialect.top udp

Files

C:\Users\Admin\AppData\Local\Temp\Uac.reg

MD5 3259410b95978a44d4a95a1d1815cc6d
SHA1 26d3928a81f9d754c7991673c6b856652ce38f98
SHA256 182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5
SHA512 44b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b