gh0strat | 3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

General

Target

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe
Size

180KB
MD5

72dd8f8700c52b00c1b95fa29fbcd30e
SHA1

05b1e71bba9e8ed49968569ad3124abd937d30ab
SHA256

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a
SHA512

eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-55-0x0000000010000000-0x0000000010023000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 2 IoCs

Processes:

seser.exeseser.exe

pid process

1304 seser.exe
2020 seser.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1352 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

WerFault.exe

pid process

1076 WerFault.exe
1076 WerFault.exe

pid	process
1304	seser.exe
2020	seser.exe

pid	process
1352	cmd.exe

pid	process
1076	WerFault.exe
1076	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\seser.exe	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe
File opened for modification	C:\Windows\SysWOW64\seser.exe	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1076 1304 WerFault.exe seser.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

description pid process

Token: SeIncBasePriorityPrivilege 960 3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

pid	pid_target	process	target process
1076	1304	WerFault.exe	seser.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	960	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

seser.exe3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

description	pid	process	target process
PID 1304 wrote to memory of 2020	1304	seser.exe	seser.exe
PID 1304 wrote to memory of 2020	1304	seser.exe	seser.exe
PID 1304 wrote to memory of 2020	1304	seser.exe	seser.exe
PID 1304 wrote to memory of 2020	1304	seser.exe	seser.exe
PID 960 wrote to memory of 1352	960	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe	cmd.exe
PID 960 wrote to memory of 1352	960	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe	cmd.exe
PID 960 wrote to memory of 1352	960	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe	cmd.exe
PID 960 wrote to memory of 1352	960	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe	cmd.exe
PID 1304 wrote to memory of 1076	1304	seser.exe	WerFault.exe
PID 1304 wrote to memory of 1076	1304	seser.exe	WerFault.exe
PID 1304 wrote to memory of 1076	1304	seser.exe	WerFault.exe
PID 1304 wrote to memory of 1076	1304	seser.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe
"C:\Users\Admin\AppData\Local\Temp\3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3F8C1E~1.EXE > nul
2⤵
- Deletes itself
PID:1352

C:\Windows\SysWOW64\seser.exe
C:\Windows\SysWOW64\seser.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\seser.exe
C:\Windows\SysWOW64\seser.exe Win7
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 252
2⤵
- Loads dropped DLL
- Program crash
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\seser.exe

Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
C:\Windows\SysWOW64\seser.exe

Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
C:\Windows\SysWOW64\seser.exe

Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
\Windows\SysWOW64\seser.exe

Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
\Windows\SysWOW64\seser.exe

Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
memory/960-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1076-68-0x0000000000000000-mapping.dmp

Download
memory/1352-69-0x0000000000000000-mapping.dmp

Download
memory/2020-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads