gh0strat | d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
Size

1.2MB
MD5

037b5afc971b59a356bfe076734b165b
SHA1

aed4684d046c5fb1687003798ada37618448268c
SHA256

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b
SHA512

6d35f17d0ff1a5522cc4a1c44c302c1bd1b05e0c554a57524fdbd0d097b1eb49b605e125610331034b940e5347f6b6ff378c1dff4f48db96ddfa1910f10b8f52
SSDEEP

24576:iTOgQM/++dshTB9/EkgPY1qOeb+SBpaO5F+pfTZJpqPT/qL:iBYd9/jmnJqO5FeDQPG

Score

10^/10

gh0strat persistence rat vmprotect

Malware Config

Extracted

Family

gh0strat

43.248.139.181

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4800-1-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral2/memory/4800-6-0x0000000000400000-0x000000000053A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4800-0-0x0000000000400000-0x000000000053A000-memory.dmp	vmprotect
behavioral2/memory/4800-6-0x0000000000400000-0x000000000053A000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe"	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

pid process

4800 d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

pid	process
4800	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
4800	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
4800	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
4800	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
4800	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
4800	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

C:\Users\Admin\AppData\Local\Temp\d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
"C:\Users\Admin\AppData\Local\Temp\d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4800-0-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4800-1-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4800-6-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download