gh0strat | ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0

General

Target

ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe
Size

680KB
MD5

d50d4545b85f36b58fdd1b2bfefbf05a
SHA1

b266a95c41407298ea4a742dfef3fc4045df3fa0
SHA256

ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0
SHA512

21aeb170b091e060f148117af9d5a3a49c582ac3e9ebf18560121871ecb4061bd9cd61d65c2ffee5ee35edec7600575863e1995370949e41fe5ffcbdac45c226
SSDEEP

6144:yMhOwNU1k/whA0BN8PwaO/kPNNduO4FOqOVaazcpof8ALthThFu3:hxNUy/whA0mwBMPQAJRUGf

Score

10^/10

gh0strat persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3480-139-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/3480-138-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/3480-140-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/3480-144-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

upx.exe

pid process

3480 upx.exe

pid	process
3480	upx.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1120-132-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral2/memory/1120-143-0x0000000000400000-0x0000000000585000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

upx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	upx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CEB3B4E0 = "C:\\Windows\\CEB3B4E0\\svchsot.exe"	upx.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

upx.exe

pid process

3480 upx.exe
3480 upx.exe
3480 upx.exe
3480 upx.exe
3480 upx.exe
3480 upx.exe
3480 upx.exe
3480 upx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

upx.exe

description pid process

Token: SeDebugPrivilege 3480 upx.exe

pid	process
3480	upx.exe
3480	upx.exe
3480	upx.exe
3480	upx.exe
3480	upx.exe
3480	upx.exe
3480	upx.exe
3480	upx.exe

description	pid	process
Token: SeDebugPrivilege	3480	upx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe

pid	process
1120	ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe
1120	ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exeupx.exenet.exe

description	pid	process	target process
PID 1120 wrote to memory of 3480	1120	ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe	upx.exe
PID 1120 wrote to memory of 3480	1120	ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe	upx.exe
PID 1120 wrote to memory of 3480	1120	ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe	upx.exe
PID 3480 wrote to memory of 4724	3480	upx.exe	net.exe
PID 3480 wrote to memory of 4724	3480	upx.exe	net.exe
PID 3480 wrote to memory of 4724	3480	upx.exe	net.exe
PID 4724 wrote to memory of 3664	4724	net.exe	net1.exe
PID 4724 wrote to memory of 3664	4724	net.exe	net1.exe
PID 4724 wrote to memory of 3664	4724	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe
"C:\Users\Admin\AppData\Local\Temp\ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\Desktop\upx.exe
C:\Users\Admin\Desktop\upx.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
4⤵
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\upx.exe
Filesize
80KB

MD5
552c9b6b5d2df50f740c3531865ad307

SHA1
8bc28dbcdecda6366ad9a14db5dd6d67e81d04b0

SHA256
b650e60013239f8a916ffd571ea66aedc6a0f88be43a003ed444a0592c29d632

SHA512
8fa284f51d34a25fa982f291fd2c033bb7070b32a8eaa8e3e91e85c2c366ebfb6f0967060eebdc7237496b29cfcf58f6ede545049caf74176f8674efffbc996f

Download Submit
C:\Users\Admin\Desktop\upx.exe
Filesize
80KB

MD5
552c9b6b5d2df50f740c3531865ad307

SHA1
8bc28dbcdecda6366ad9a14db5dd6d67e81d04b0

SHA256
b650e60013239f8a916ffd571ea66aedc6a0f88be43a003ed444a0592c29d632

SHA512
8fa284f51d34a25fa982f291fd2c033bb7070b32a8eaa8e3e91e85c2c366ebfb6f0967060eebdc7237496b29cfcf58f6ede545049caf74176f8674efffbc996f

Download Submit
memory/1120-132-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1120-143-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/3480-133-0x0000000000000000-mapping.dmp

Download
memory/3480-136-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/3480-139-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/3480-138-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/3480-140-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/3480-144-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/3664-142-0x0000000000000000-mapping.dmp

Download
memory/4724-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads