gh0strat | 4695fbf41abd54d1449d8da4a5976d50aec0499e3e2959e20686237d32db3114

General

Target

0ebfef7d6059b82e87e05a54e80e5a7b.exe
Size

2.6MB
MD5

0ebfef7d6059b82e87e05a54e80e5a7b
SHA1

3c1ab9c072625b9e08b72013967b04bd2e0cb69e
SHA256

4695fbf41abd54d1449d8da4a5976d50aec0499e3e2959e20686237d32db3114
SHA512

a695816e77c3d569ba861fab022035910858cf2db0e15dd2a58398c6f39394add35172ca209de1d0d02019f5f0a4f35beb8e3ea56c4e0c37cb645379d1d9e5c9
SSDEEP

24576:3bsATQUIP6braCWyv6BpHv+LOez9OulOcsV9DK2J2aBcpsam5RvikgJkf:3vbDCv+HOulOcQMYYsP5RviP6

Score

10^/10

gh0strat mimikatz credential_access discovery evasion persistence rat trojan

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225f-1.dat	family_gh0strat
behavioral1/memory/2688-12-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/1956-13-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/2688-16-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/1956-28-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/1956-34-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ebfef7d6059b82e87e05a54e80e5a7b.exe

OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000017520-8.dat	mimikatz

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2775	1956	rundll32.exe
6124	1956	rundll32.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Graphipcs_PerfSvcs\Parameters\ServiceDll = "C:\\Windows\\GraphicsPerfSvcs.dll"	0ebfef7d6059b82e87e05a54e80e5a7b.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	mimikatz.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	cmd.exe
2528	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunExec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0ebfef7d6059b82e87e05a54e80e5a7b.exe\""	0ebfef7d6059b82e87e05a54e80e5a7b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ebfef7d6059b82e87e05a54e80e5a7b.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GraphicsPerfSvcs.dll	0ebfef7d6059b82e87e05a54e80e5a7b.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ebfef7d6059b82e87e05a54e80e5a7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2516	mimikatz.exe
2516	mimikatz.exe
2516	mimikatz.exe
2516	mimikatz.exe
2516	mimikatz.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	svchost.exe
Token: SeDebugPrivilege	2516	mimikatz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1724	0ebfef7d6059b82e87e05a54e80e5a7b.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2528	1724	0ebfef7d6059b82e87e05a54e80e5a7b.exe	31
PID 1724 wrote to memory of 2528	1724	0ebfef7d6059b82e87e05a54e80e5a7b.exe	31
PID 1724 wrote to memory of 2528	1724	0ebfef7d6059b82e87e05a54e80e5a7b.exe	31
PID 1724 wrote to memory of 2528	1724	0ebfef7d6059b82e87e05a54e80e5a7b.exe	31
PID 2528 wrote to memory of 2516	2528	cmd.exe	33
PID 2528 wrote to memory of 2516	2528	cmd.exe	33
PID 2528 wrote to memory of 2516	2528	cmd.exe	33
PID 2528 wrote to memory of 2516	2528	cmd.exe	33
PID 2688 wrote to memory of 1956	2688	svchost.exe	34
PID 2688 wrote to memory of 1956	2688	svchost.exe	34
PID 2688 wrote to memory of 1956	2688	svchost.exe	34
PID 2688 wrote to memory of 1956	2688	svchost.exe	34
PID 2688 wrote to memory of 1956	2688	svchost.exe	34
PID 2688 wrote to memory of 1956	2688	svchost.exe	34
PID 2688 wrote to memory of 1956	2688	svchost.exe	34

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0ebfef7d6059b82e87e05a54e80e5a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ebfef7d6059b82e87e05a54e80e5a7b.exe

C:\Users\Admin\AppData\Local\Temp\0ebfef7d6059b82e87e05a54e80e5a7b.exe
"C:\Users\Admin\AppData\Local\Temp\0ebfef7d6059b82e87e05a54e80e5a7b.exe"
1⤵
- UAC bypass
- Server Software Component: Terminal Services DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >C:\Users\Admin\AppData\Local\Temp\Pass.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\mimikatz.exe
    C:\Users\Admin\AppData\Local\Temp\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\graphicsperfsvcs.dll, XiaoDeBu Graphipcs_PerfSvcs
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

OS Credential Dumping

1

T1003

LSASS Memory

1

T1003.001

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pass.txt

Filesize
3KB

MD5
adffea26d27cb5e10aac7b7d83341ca4

SHA1
dfd71b8ca846ce492b3366f62951ec6b778f2376

SHA256
d8e1704e9011808655722a63945170a4731359e1e2a91a1ebba4bd97c7b22410

SHA512
ccf5394248d5d570bde37f7c7b35921ddeaa0257fd44afe302df418ef144205eee48395429ae24c071ba054b48685fe7a6edfa922b3986f51da49d51b6c5f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\mimikatz.exe

Filesize
905KB

MD5
50300de5e4786530ea603224ccbcbb02

SHA1
d343b0019084de2dd882e92a79a872370bc6028f

SHA256
23a243a1ce474c4da90b1003ffcbaf9a3ff25e0787844bfe74c21671fdd8b269

SHA512
a41f0e2140046d1074e444881e7b23f3ba79e304acca4df25dcdb522e0a1ef21b5e64245748d359cad18e4966d76fe622cbc8f542ee1cf2a38f9de5971398b8c

Download Submit
\??\c:\windows\graphicsperfsvcs.dll

Filesize
104KB

MD5
cd1b4e13446adbd451196fc3e7f59e26

SHA1
6cd3fd4b54ce0c7109709851781138bbb66eb0aa

SHA256
dda0aa71a3aaf64c5de3aade73b3619f5b135d1dee66b88725e5a804272318e3

SHA512
2cd76db9207d55d465e36277aaadd9bd5ed8007e8a4aa78027c5d91aa6a9772f271a4f3ae611892497b8b31d35b6e89262eee6c2366ecb04011e43741d35b439

Download Submit
memory/1956-13-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1956-28-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1956-34-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2688-12-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2688-16-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads