gh0strat | a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d

General

Target

a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe
Size

375KB
MD5

7d2049f4ed374565b5c243e4d59e2d3b
SHA1

4a2ce1b099077564a5438928f5240579e7d597cd
SHA256

a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d
SHA512

c3672545e78826477926889edde51c8025acba7c41acd9620792608b32cab4a112e470e7e59b532e59f7c10890c6e2207696870e07a3c85dcff8e01c7eb9c534
SSDEEP

6144:xv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:x4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/1836-137-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1836-136-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1836-138-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/320-149-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1912-155-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1912-156-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1912-158-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1912-160-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3960-176-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 4 IoCs

pid	Process
320	SQLSerasi.exe
1912	SQLSerasi.exe
3960	SQLSerasi.exe
3724	SQLSerasi.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1836-132-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1836-137-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1836-136-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1836-138-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/320-149-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1912-155-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1912-150-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1912-156-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1912-158-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1912-160-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3960-176-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SQLSerasi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SQLSerasi.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe	a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	1912	WerFault.exe	85

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLSerasi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLSerasi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLSerasi.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLSerasi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLSerasi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SQLSerasi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SQLSerasi.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe
Token: SeDebugPrivilege	320	SQLSerasi.exe
Token: SeDebugPrivilege	1912	SQLSerasi.exe
Token: SeDebugPrivilege	1912	SQLSerasi.exe
Token: SeDebugPrivilege	1912	SQLSerasi.exe
Token: SeDebugPrivilege	3960	SQLSerasi.exe
Token: SeDebugPrivilege	3724	SQLSerasi.exe
Token: SeDebugPrivilege	3960	SQLSerasi.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 320	1836	a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe	84
PID 1836 wrote to memory of 320	1836	a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe	84
PID 1836 wrote to memory of 320	1836	a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe	84
PID 1912 wrote to memory of 3960	1912	SQLSerasi.exe	89
PID 1912 wrote to memory of 3960	1912	SQLSerasi.exe	89
PID 1912 wrote to memory of 3960	1912	SQLSerasi.exe	89
PID 1912 wrote to memory of 3724	1912	SQLSerasi.exe	90
PID 1912 wrote to memory of 3724	1912	SQLSerasi.exe	90
PID 1912 wrote to memory of 3724	1912	SQLSerasi.exe	90

C:\Users\Admin\AppData\Local\Temp\a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe
"C:\Users\Admin\AppData\Local\Temp\a54aebc29e6787aba5f17699ec1873617bf920287fd5d551a98edb1a34219c5d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:320

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
  "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 644
  2⤵
  - Program crash
  PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1912 -ip 1912
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
0ae2eeb3e7a19cdcae1742137718ba96

SHA1
d759c1fa77b319870e689a901738b04e4cc5b55f

SHA256
ec7110610f465266a41b89d4423fca123f9bc4f8883febc7279b7a09755ae3c6

SHA512
ea3b0d751758ecbe8b00d8ffe54f58f20f92fe8ac5d8eecbb7f0be5fd0900117e6064be5cbee6e4893a73b0632b17b22c9284e694f2fd578e19ea3d9c855a3b0

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
0ae2eeb3e7a19cdcae1742137718ba96

SHA1
d759c1fa77b319870e689a901738b04e4cc5b55f

SHA256
ec7110610f465266a41b89d4423fca123f9bc4f8883febc7279b7a09755ae3c6

SHA512
ea3b0d751758ecbe8b00d8ffe54f58f20f92fe8ac5d8eecbb7f0be5fd0900117e6064be5cbee6e4893a73b0632b17b22c9284e694f2fd578e19ea3d9c855a3b0

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
0ae2eeb3e7a19cdcae1742137718ba96

SHA1
d759c1fa77b319870e689a901738b04e4cc5b55f

SHA256
ec7110610f465266a41b89d4423fca123f9bc4f8883febc7279b7a09755ae3c6

SHA512
ea3b0d751758ecbe8b00d8ffe54f58f20f92fe8ac5d8eecbb7f0be5fd0900117e6064be5cbee6e4893a73b0632b17b22c9284e694f2fd578e19ea3d9c855a3b0

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
0ae2eeb3e7a19cdcae1742137718ba96

SHA1
d759c1fa77b319870e689a901738b04e4cc5b55f

SHA256
ec7110610f465266a41b89d4423fca123f9bc4f8883febc7279b7a09755ae3c6

SHA512
ea3b0d751758ecbe8b00d8ffe54f58f20f92fe8ac5d8eecbb7f0be5fd0900117e6064be5cbee6e4893a73b0632b17b22c9284e694f2fd578e19ea3d9c855a3b0

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

Filesize
39.4MB

MD5
0ae2eeb3e7a19cdcae1742137718ba96

SHA1
d759c1fa77b319870e689a901738b04e4cc5b55f

SHA256
ec7110610f465266a41b89d4423fca123f9bc4f8883febc7279b7a09755ae3c6

SHA512
ea3b0d751758ecbe8b00d8ffe54f58f20f92fe8ac5d8eecbb7f0be5fd0900117e6064be5cbee6e4893a73b0632b17b22c9284e694f2fd578e19ea3d9c855a3b0

Download Submit
memory/320-153-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/320-149-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/320-157-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1836-142-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1836-138-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1836-136-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1836-134-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1836-132-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1836-137-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-158-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-156-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-160-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-150-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-155-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1912-151-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3724-175-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3960-174-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3960-176-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads