gh0strat | e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951

General

Target

e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe
Size

375KB
MD5

227c79e68a1de6f58ab551f285a25980
SHA1

10818c3bec7c51cd8df4e5becee7c790a1d7a3d2
SHA256

e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951
SHA512

32aa32283e61f7ed485d70cbdfab1205a7fb0fdd6149b9f5d2e752f8e787dc3fb7d4e00aa0730fe8b8dabc5021426020b6ece969033c2470253e250cef444419

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4100-135-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/4100-134-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/4100-136-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/780-150-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/780-151-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/808-152-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/780-155-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1576-173-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3580-174-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/780-176-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1576-177-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 4 IoCs

Processes:

SQLSerasi.exeSQLSerasi.exeSQLSerasi.exeSQLSerasi.exe

pid process

808 SQLSerasi.exe
780 SQLSerasi.exe
1576 SQLSerasi.exe
3580 SQLSerasi.exe

pid	process
808	SQLSerasi.exe
780	SQLSerasi.exe
1576	SQLSerasi.exe
3580	SQLSerasi.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4100-131-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/4100-135-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/4100-134-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/4100-136-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/780-147-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/780-150-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/780-151-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/808-152-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/780-155-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1576-173-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3580-174-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/780-176-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1576-177-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe

Drops file in System32 directory 4 IoCs

Processes:

SQLSerasi.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SQLSerasi.exe

Drops file in Program Files directory 2 IoCs

Processes:

e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

776 780 WerFault.exe SQLSerasi.exe

pid	pid_target	process	target process
776	780	WerFault.exe	SQLSerasi.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SQLSerasi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLSerasi.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

SQLSerasi.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLSerasi.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exeSQLSerasi.exeSQLSerasi.exeSQLSerasi.exeSQLSerasi.exe

description	pid	process
Token: SeDebugPrivilege	4100	e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe
Token: SeDebugPrivilege	808	SQLSerasi.exe
Token: SeDebugPrivilege	780	SQLSerasi.exe
Token: SeDebugPrivilege	780	SQLSerasi.exe
Token: SeDebugPrivilege	780	SQLSerasi.exe
Token: SeDebugPrivilege	1576	SQLSerasi.exe
Token: SeDebugPrivilege	3580	SQLSerasi.exe
Token: SeDebugPrivilege	1576	SQLSerasi.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exeSQLSerasi.exe

description	pid	process	target process
PID 4100 wrote to memory of 808	4100	e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe	SQLSerasi.exe
PID 4100 wrote to memory of 808	4100	e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe	SQLSerasi.exe
PID 4100 wrote to memory of 808	4100	e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe	SQLSerasi.exe
PID 780 wrote to memory of 1576	780	SQLSerasi.exe	SQLSerasi.exe
PID 780 wrote to memory of 1576	780	SQLSerasi.exe	SQLSerasi.exe
PID 780 wrote to memory of 1576	780	SQLSerasi.exe	SQLSerasi.exe
PID 780 wrote to memory of 3580	780	SQLSerasi.exe	SQLSerasi.exe
PID 780 wrote to memory of 3580	780	SQLSerasi.exe	SQLSerasi.exe
PID 780 wrote to memory of 3580	780	SQLSerasi.exe	SQLSerasi.exe

C:\Users\Admin\AppData\Local\Temp\e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe
"C:\Users\Admin\AppData\Local\Temp\e98d9a24d5ebf52edf79d0443febe20b3fd0b9b99402a3401ae320d9ba034951.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 572
2⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 780 -ip 780
1⤵
PID:2956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
778e86dddd67fc3dcba7903d55fa1829

SHA1
fce6c4400459e93a73dc78abd52fc236c7c46d3a

SHA256
ffe8d11becfceecba183c2b9eca9433368f02e90c6054015e0ac3140ce0e299a

SHA512
f392261e08e2a78ade319eaa1e7f2d9eec3aa76cdc07e6956911e47ea54cd0c31d39c98053bdbe704343c93d02affb89ab348e51efd10fd6011f44b1e953ea67

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
778e86dddd67fc3dcba7903d55fa1829

SHA1
fce6c4400459e93a73dc78abd52fc236c7c46d3a

SHA256
ffe8d11becfceecba183c2b9eca9433368f02e90c6054015e0ac3140ce0e299a

SHA512
f392261e08e2a78ade319eaa1e7f2d9eec3aa76cdc07e6956911e47ea54cd0c31d39c98053bdbe704343c93d02affb89ab348e51efd10fd6011f44b1e953ea67

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
778e86dddd67fc3dcba7903d55fa1829

SHA1
fce6c4400459e93a73dc78abd52fc236c7c46d3a

SHA256
ffe8d11becfceecba183c2b9eca9433368f02e90c6054015e0ac3140ce0e299a

SHA512
f392261e08e2a78ade319eaa1e7f2d9eec3aa76cdc07e6956911e47ea54cd0c31d39c98053bdbe704343c93d02affb89ab348e51efd10fd6011f44b1e953ea67

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
778e86dddd67fc3dcba7903d55fa1829

SHA1
fce6c4400459e93a73dc78abd52fc236c7c46d3a

SHA256
ffe8d11becfceecba183c2b9eca9433368f02e90c6054015e0ac3140ce0e299a

SHA512
f392261e08e2a78ade319eaa1e7f2d9eec3aa76cdc07e6956911e47ea54cd0c31d39c98053bdbe704343c93d02affb89ab348e51efd10fd6011f44b1e953ea67

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
778e86dddd67fc3dcba7903d55fa1829

SHA1
fce6c4400459e93a73dc78abd52fc236c7c46d3a

SHA256
ffe8d11becfceecba183c2b9eca9433368f02e90c6054015e0ac3140ce0e299a

SHA512
f392261e08e2a78ade319eaa1e7f2d9eec3aa76cdc07e6956911e47ea54cd0c31d39c98053bdbe704343c93d02affb89ab348e51efd10fd6011f44b1e953ea67

Download Submit
memory/780-150-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/780-176-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/780-155-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/780-153-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/780-151-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/780-147-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/808-156-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/808-152-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/808-154-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/808-137-0x0000000000000000-mapping.dmp

Download
memory/1576-177-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1576-157-0x0000000000000000-mapping.dmp

Download
memory/1576-173-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1576-171-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3580-172-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3580-175-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3580-159-0x0000000000000000-mapping.dmp

Download
memory/3580-174-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4100-134-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4100-130-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4100-131-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4100-136-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4100-135-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4100-142-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads