gh0strat | d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

General

Target

d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
Size

168KB
MD5

0da30e92f7dd8cc6ad3c35f77a0caa80
SHA1

64a6be72141295cdd8ecacf0f4513328e45bab58
SHA256

d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523
SHA512

0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1
SSDEEP

3072:a55WhN9npi8X7+0rbaemqKKgrkF0tIjnK0LHB8BwXc4+4uFXBfOJ4lQHwmj3yadX:a55WzZX7+0rb1mq+lIj3LHmBwXcxfXFY

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000005c50-55.dat	family_gh0strat
behavioral1/files/0x0007000000005c50-57.dat	family_gh0strat
behavioral1/files/0x000a0000000122e0-58.dat	family_gh0strat
behavioral1/files/0x000c0000000122dd-59.dat	family_gh0strat
behavioral1/files/0x000c0000000122dd-60.dat	family_gh0strat
behavioral1/files/0x000c0000000122dd-62.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
540	zgtdcg.exe
1524	hrl873B.tmp

Loads dropped DLL 3 IoCs

pid	Process
540	zgtdcg.exe
540	zgtdcg.exe
540	zgtdcg.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	zgtdcg.exe
File opened (read-only)	\??\K:	zgtdcg.exe
File opened (read-only)	\??\N:	zgtdcg.exe
File opened (read-only)	\??\R:	zgtdcg.exe
File opened (read-only)	\??\T:	zgtdcg.exe
File opened (read-only)	\??\I:	zgtdcg.exe
File opened (read-only)	\??\O:	zgtdcg.exe
File opened (read-only)	\??\Q:	zgtdcg.exe
File opened (read-only)	\??\S:	zgtdcg.exe
File opened (read-only)	\??\V:	zgtdcg.exe
File opened (read-only)	\??\E:	zgtdcg.exe
File opened (read-only)	\??\H:	zgtdcg.exe
File opened (read-only)	\??\U:	zgtdcg.exe
File opened (read-only)	\??\X:	zgtdcg.exe
File opened (read-only)	\??\Y:	zgtdcg.exe
File opened (read-only)	\??\Z:	zgtdcg.exe
File opened (read-only)	\??\G:	zgtdcg.exe
File opened (read-only)	\??\J:	zgtdcg.exe
File opened (read-only)	\??\L:	zgtdcg.exe
File opened (read-only)	\??\M:	zgtdcg.exe
File opened (read-only)	\??\P:	zgtdcg.exe
File opened (read-only)	\??\W:	zgtdcg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zgtdcg.exe	d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
File opened for modification	C:\Windows\SysWOW64\zgtdcg.exe	d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
File created	C:\Windows\SysWOW64\hra33.dll	zgtdcg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	zgtdcg.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	zgtdcg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1524	540	zgtdcg.exe	27
PID 540 wrote to memory of 1524	540	zgtdcg.exe	27
PID 540 wrote to memory of 1524	540	zgtdcg.exe	27
PID 540 wrote to memory of 1524	540	zgtdcg.exe	27

C:\Users\Admin\AppData\Local\Temp\d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe
"C:\Users\Admin\AppData\Local\Temp\d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523.exe"
1⤵
- Drops file in System32 directory
PID:1416

C:\Windows\SysWOW64\zgtdcg.exe
C:\Windows\SysWOW64\zgtdcg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\TEMP\hrl873B.tmp
  C:\Windows\TEMP\hrl873B.tmp
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\zgtdcg.exe

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
C:\Windows\SysWOW64\zgtdcg.exe

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
C:\Windows\Temp\hrl873B.tmp

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
176KB

MD5
e8f8cc390926e678ccefef14d1232840

SHA1
5b735f61905a152ffa92fa90f1ab55f4a83b3197

SHA256
90947d4b74ddb340bc3ee0d2f3f43392be493f668e68439c997a7bd8af04f174

SHA512
40766823bcbfd0d17cf067cc58cc84b21cc184f7c4ac08b349ca2ffa216d5009e7e22fa8db5d29ea2e9ea8bc6b610d887b5baef261988c824c233aaa3860b951

Download Submit
\Windows\Temp\hrl873B.tmp

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
\Windows\Temp\hrl873B.tmp

Filesize
168KB

MD5
0da30e92f7dd8cc6ad3c35f77a0caa80

SHA1
64a6be72141295cdd8ecacf0f4513328e45bab58

SHA256
d47a641a7ba541f1431a68a6bbcb7b0246efd1adbb0ba3341fce2ce713d70523

SHA512
0ce91ffd1ae6fd9a2472b177388c85798ccfe8e5483e99ab862b84d51d4ce41f6d40e2b3d88e6d33cec4e8aea1280ead2b71be7e042f42ae6dd288e03bade8d1

Download Submit
memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing