gh0strat | dd94a0e76e5de1ed7e055ef87507d3a2e00d3177dd2e450c4afc1e7d3eca6e84

Analysis

max time kernel
132s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2011528135322.exe
Size

204KB
MD5

1a24c5e8b0653ff5c5033c1970af459a
SHA1

eeaa099ef42414aaf4f7c48618cd66a6e2ba9e37
SHA256

779ba65f8947c9206cade7b181683380da0ef1b12a1a8de5c2e6c00d53574e9b
SHA512

006478b5fae5964ad5ede2b3277fcccfa54de68dff768110b7fb9ab184baa2b714d1d44717d3f760f480fbe1ec48f4e7e569dc030d073da7241825468d552f15
SSDEEP

3072:YqVYtrjsN9NhlcOAeT4WWDQ8KKwirAKVd8R8httUH31:FKtnsN9Nvc6DWECwyXX8RM831

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral3/files/0x0007000000018f3e-1.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	2011528135322.exe
2712	2011528135322.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\V2011.exe	svchost.exe
File opened for modification	C:\WINDOWS\V2011.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2712	2011528135322.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2364	2712	2011528135322.exe	29
PID 2712 wrote to memory of 2364	2712	2011528135322.exe	29
PID 2712 wrote to memory of 2364	2712	2011528135322.exe	29
PID 2712 wrote to memory of 2364	2712	2011528135322.exe	29
PID 2712 wrote to memory of 2832	2712	2011528135322.exe	30
PID 2712 wrote to memory of 2832	2712	2011528135322.exe	30
PID 2712 wrote to memory of 2832	2712	2011528135322.exe	30
PID 2712 wrote to memory of 2832	2712	2011528135322.exe	30

C:\Users\Admin\AppData\Local\Temp\2011528135322.exe
"C:\Users\Admin\AppData\Local\Temp\2011528135322.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c afc9fe2f418b00a0.bat
  2⤵
  - Deletes itself
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
c278bb1ed716377a08b995ff7d9cab5c

SHA1
8292efb97a4e48579adc419172c9d3340226252d

SHA256
68ad3c8b3074a09adea23fafb51cf367f6297c1de626b39925294cc492bd36a9

SHA512
82f524ba37fc9d29a04bc1c438624da52f3a365728d417e0c2156806088fc29256ab5bb5d9933580aa17189a55cff5021859311b60c415ba45e85fd13bf2ff9f

Download Submit
\Users\Admin\AppData\Local\Temp\V2011\svchost.exe

Filesize
204KB

MD5
1a24c5e8b0653ff5c5033c1970af459a

SHA1
eeaa099ef42414aaf4f7c48618cd66a6e2ba9e37

SHA256
779ba65f8947c9206cade7b181683380da0ef1b12a1a8de5c2e6c00d53574e9b

SHA512
006478b5fae5964ad5ede2b3277fcccfa54de68dff768110b7fb9ab184baa2b714d1d44717d3f760f480fbe1ec48f4e7e569dc030d073da7241825468d552f15

Download Submit