gh0strat | 3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

General

Target

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe
Size

180KB
MD5

72dd8f8700c52b00c1b95fa29fbcd30e
SHA1

05b1e71bba9e8ed49968569ad3124abd937d30ab
SHA256

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a
SHA512

eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3292-130-0x0000000010000000-0x0000000010023000-memory.dmp	family_gh0strat
behavioral2/memory/1008-136-0x0000000010000000-0x0000000010023000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 3 IoCs

Processes:

seser.exeseser.exeseser.exe

pid process

1008 seser.exe
4484 seser.exe
4668 seser.exe

pid	process
1008	seser.exe
4484	seser.exe
4668	seser.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

Drops file in System32 directory 2 IoCs

Processes:

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\seser.exe	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe
File created	C:\Windows\SysWOW64\seser.exe	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4004 1008 WerFault.exe seser.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

description pid process

Token: SeIncBasePriorityPrivilege 3292 3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

pid	pid_target	process	target process
4004	1008	WerFault.exe	seser.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3292	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

seser.exe3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe

description	pid	process	target process
PID 1008 wrote to memory of 4484	1008	seser.exe	seser.exe
PID 1008 wrote to memory of 4484	1008	seser.exe	seser.exe
PID 1008 wrote to memory of 4484	1008	seser.exe	seser.exe
PID 1008 wrote to memory of 4668	1008	seser.exe	seser.exe
PID 1008 wrote to memory of 4668	1008	seser.exe	seser.exe
PID 1008 wrote to memory of 4668	1008	seser.exe	seser.exe
PID 3292 wrote to memory of 4508	3292	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe	cmd.exe
PID 3292 wrote to memory of 4508	3292	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe	cmd.exe
PID 3292 wrote to memory of 4508	3292	3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe
"C:\Users\Admin\AppData\Local\Temp\3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3F8C1E~1.EXE > nul
2⤵
PID:4508

C:\Windows\SysWOW64\seser.exe
C:\Windows\SysWOW64\seser.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\seser.exe
C:\Windows\SysWOW64\seser.exe Win7
2⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWOW64\seser.exe
C:\Windows\SysWOW64\seser.exe Win7
2⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 680
2⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1008 -ip 1008
1⤵
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\seser.exe
Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
C:\Windows\SysWOW64\seser.exe
Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
C:\Windows\SysWOW64\seser.exe
Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
C:\Windows\SysWOW64\seser.exe
Filesize
180KB

MD5
72dd8f8700c52b00c1b95fa29fbcd30e

SHA1
05b1e71bba9e8ed49968569ad3124abd937d30ab

SHA256
3f8c1e5dc8ea2e6aff80b31aeb4e626597e144ec58f460e481bf1f50f7d1e60a

SHA512
eee3e7377f4555cb2c587045f7fcd15d8ec76b978de8f34ef360d415dccd9641069feb313a8f6ffe13e3f5b3c39a128f7902e58da7ef26a3bd44db112b4fd58a

Download Submit
memory/1008-136-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3292-130-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4484-140-0x0000000000000000-mapping.dmp

Download
memory/4508-152-0x0000000000000000-mapping.dmp

Download
memory/4668-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads