gh0strat | 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24

General

Target

440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe
Size

375KB
MD5

0279663d477cb9ab929b4bcce5939684
SHA1

40d0f0c4b28147e33802bf5ddd8fa63c1601235d
SHA256

440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24
SHA512

8bfb514867553b4c4296974853912f35dac63128c78b92e0e6c56f76991c99384150059d557154abfcd48677541223df8f8e5ef9706460d070746756ade4fddd
SSDEEP

6144:nv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:n4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/968-136-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/968-137-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/968-138-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/4440-149-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3540-154-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3540-155-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3540-157-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1912-175-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1912-176-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 4 IoCs

pid	Process
4440	SQLSerasi.exe
3540	SQLSerasi.exe
1912	SQLSerasi.exe
2840	SQLSerasi.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/968-133-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/968-136-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/968-137-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/968-138-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/4440-149-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3540-151-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3540-154-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3540-155-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3540-157-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1912-175-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1912-176-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SQLSerasi.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4548	3540	WerFault.exe	87

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLSerasi.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLSerasi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SQLSerasi.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe
Token: SeDebugPrivilege	4440	SQLSerasi.exe
Token: SeDebugPrivilege	3540	SQLSerasi.exe
Token: SeDebugPrivilege	3540	SQLSerasi.exe
Token: SeDebugPrivilege	3540	SQLSerasi.exe
Token: SeDebugPrivilege	1912	SQLSerasi.exe
Token: SeDebugPrivilege	1912	SQLSerasi.exe
Token: SeDebugPrivilege	2840	SQLSerasi.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 4440	968	440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe	84
PID 968 wrote to memory of 4440	968	440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe	84
PID 968 wrote to memory of 4440	968	440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe	84
PID 3540 wrote to memory of 1912	3540	SQLSerasi.exe	89
PID 3540 wrote to memory of 1912	3540	SQLSerasi.exe	89
PID 3540 wrote to memory of 1912	3540	SQLSerasi.exe	89
PID 3540 wrote to memory of 2840	3540	SQLSerasi.exe	91
PID 3540 wrote to memory of 2840	3540	SQLSerasi.exe	91
PID 3540 wrote to memory of 2840	3540	SQLSerasi.exe	91

C:\Users\Admin\AppData\Local\Temp\440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe
"C:\Users\Admin\AppData\Local\Temp\440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4440

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 648
  2⤵
  - Program crash
  PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3540 -ip 3540
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
18679c5fa88b0f76fc882bb1e97807e2

SHA1
c5b76db8170cb0e340d038ebcf5fd09d872ec395

SHA256
d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658

SHA512
a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
18679c5fa88b0f76fc882bb1e97807e2

SHA1
c5b76db8170cb0e340d038ebcf5fd09d872ec395

SHA256
d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658

SHA512
a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
18679c5fa88b0f76fc882bb1e97807e2

SHA1
c5b76db8170cb0e340d038ebcf5fd09d872ec395

SHA256
d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658

SHA512
a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
18679c5fa88b0f76fc882bb1e97807e2

SHA1
c5b76db8170cb0e340d038ebcf5fd09d872ec395

SHA256
d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658

SHA512
a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
18679c5fa88b0f76fc882bb1e97807e2

SHA1
c5b76db8170cb0e340d038ebcf5fd09d872ec395

SHA256
d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658

SHA512
a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00

Download Submit
memory/968-137-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/968-136-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/968-132-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/968-145-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/968-138-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/968-133-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-176-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-171-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1912-175-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2840-177-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2840-178-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2840-173-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3540-156-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3540-157-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3540-155-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3540-154-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3540-151-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4440-149-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4440-158-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4440-142-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads