gh0strat | 5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f

Analysis

max time kernel
131s
max time network
142s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
07/09/2022, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe
Size

375KB
MD5

d940553fa5943895dda51d891e097d3e
SHA1

68cfa43d293f79be7fba788b1488e22e47e608a4
SHA256

5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f
SHA512

477dfdeebe270af99fa01264bb4fed203af8255e24aa1edbe67800a9e5be1eaa375d1505a965bc223cc16db3eeaf2dffda8e798cf330a7fc5a7c366c7f6f8360
SSDEEP

6144:Iv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:I4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2300-174-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-175-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-177-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3336-270-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3964-301-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3964-302-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/4732-360-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3964-372-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/4732-374-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
3336	SQLSerasi.exe
3964	SQLSerasi.exe
4732	SQLSerasi.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2300-170-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-174-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-175-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-177-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3336-270-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3964-301-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3964-302-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/4732-360-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3964-372-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/4732-374-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SQLSerasi.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLSerasi.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLSerasi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SQLSerasi.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe
Token: SeDebugPrivilege	3336	SQLSerasi.exe
Token: SeDebugPrivilege	3964	SQLSerasi.exe
Token: SeDebugPrivilege	3964	SQLSerasi.exe
Token: SeDebugPrivilege	4732	SQLSerasi.exe
Token: SeDebugPrivilege	4732	SQLSerasi.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3336	2300	5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe	66
PID 2300 wrote to memory of 3336	2300	5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe	66
PID 2300 wrote to memory of 3336	2300	5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe	66
PID 3964 wrote to memory of 4732	3964	SQLSerasi.exe	68
PID 3964 wrote to memory of 4732	3964	SQLSerasi.exe	68
PID 3964 wrote to memory of 4732	3964	SQLSerasi.exe	68

C:\Users\Admin\AppData\Local\Temp\5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe
"C:\Users\Admin\AppData\Local\Temp\5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3336

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
e8d1c6ee48e26677db102c9d5bf4c7f5

SHA1
1660b5bc53508f401ec319d4b11b91a2fe9354f2

SHA256
72c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f

SHA512
166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
e8d1c6ee48e26677db102c9d5bf4c7f5

SHA1
1660b5bc53508f401ec319d4b11b91a2fe9354f2

SHA256
72c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f

SHA512
166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
e8d1c6ee48e26677db102c9d5bf4c7f5

SHA1
1660b5bc53508f401ec319d4b11b91a2fe9354f2

SHA256
72c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f

SHA512
166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
e8d1c6ee48e26677db102c9d5bf4c7f5

SHA1
1660b5bc53508f401ec319d4b11b91a2fe9354f2

SHA256
72c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f

SHA512
166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7

Download Submit
memory/2300-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-123-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2300-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-174-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-170-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-175-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-177-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-184-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-194-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3336-270-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3336-303-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3964-301-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3964-302-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3964-371-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3964-372-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4732-360-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4732-373-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4732-374-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download