Malware Analysis Report

2025-03-15 06:32

Sample ID 240624-r5hctaxemf
Target 35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff
SHA256 35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff

Threat Level: Known bad

The file 35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 14:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 14:46

Reported

2024-06-24 14:49

Platform

win7-20240221-en

Max time kernel

126s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vitrwm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe" C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe

"C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 frp-can.top udp
CN 61.139.65.143:61571 frp-can.top tcp
CN 61.139.65.143:61571 frp-can.top tcp
CN 61.139.65.143:61571 frp-can.top tcp
CN 61.139.65.143:61571 frp-can.top tcp
CN 61.139.65.143:61571 frp-can.top tcp
CN 61.139.65.143:61571 frp-can.top tcp

Files

memory/2512-0-0x0000000010000000-0x0000000010046000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 14:46

Reported

2024-06-24 14:49

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe" C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe

"C:\Users\Admin\AppData\Local\Temp\35c4a766dc1d10e57431f1d0f78a7fa84a77bda4e12ec6201e446ead900956ff.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 frp-can.top udp
CN 61.139.65.143:61571 frp-can.top tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
CN 61.139.65.143:61571 frp-can.top tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
CN 61.139.65.143:61571 frp-can.top tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
CN 61.139.65.143:61571 frp-can.top tcp
CN 61.139.65.143:61571 frp-can.top tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
CN 61.139.65.143:61571 frp-can.top tcp

Files

memory/1944-0-0x0000000010000000-0x0000000010046000-memory.dmp