gh0strat | 5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe
Size

12.9MB
MD5

a93181bb75efe8ad296d3853f36ed19b
SHA1

31da220231c677a097f9bc6b4740e67775b7b0f5
SHA256

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25
SHA512

6bdd6b8518d3325a3d6eb1ed3b529119e9d1c9c5ca8c6ae5655bcb9c5bd614dc94c7227fcde02e9babb25c18532e12f3d9846994ba62c46c0d068c310e8eaf6a
SSDEEP

196608:UNDjo2ZJPJNHIhzGcHz3j8xwPpWrqUrmpvJIkbrQXho+CiFiSLvsJ4KCXyan5MUi:UZxyRv8xQpW+JERo+tXCdCLn+

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1244-154-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/1244-153-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/1244-163-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 6 IoCs

Processes:

9783.exe333.exe240573515.exe9783GamePlaza_mini.exeserver183.exe9783GamePlaza_mini.tmp

pid process

3252 9783.exe
3256 333.exe
3364 240573515.exe
1156 9783GamePlaza_mini.exe
1244 server183.exe
3832 9783GamePlaza_mini.tmp

pid	process
3252	9783.exe
3256	333.exe
3364	240573515.exe
1156	9783GamePlaza_mini.exe
1244	server183.exe
3832	9783GamePlaza_mini.tmp

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe333.exe9783.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	333.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9783.exe

Loads dropped DLL 2 IoCs

Processes:

9783GamePlaza_mini.tmp

pid process

3832 9783GamePlaza_mini.tmp
3832 9783GamePlaza_mini.tmp

pid	process
3832	9783GamePlaza_mini.tmp
3832	9783GamePlaza_mini.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server183.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	server183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9A7B583 = "C:\\Windows\\B9A7B583\\svchsot.exe"	server183.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\9783.exe	nsis_installer_2
C:\9783.exe	nsis_installer_2

Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

server183.exe

pid process

1244 server183.exe
1244 server183.exe
1244 server183.exe
1244 server183.exe
1244 server183.exe
1244 server183.exe
1244 server183.exe
1244 server183.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

server183.exe

description pid process

Token: SeDebugPrivilege 1244 server183.exe

pid	process
1244	server183.exe
1244	server183.exe
1244	server183.exe
1244	server183.exe
1244	server183.exe
1244	server183.exe
1244	server183.exe
1244	server183.exe

description	pid	process
Token: SeDebugPrivilege	1244	server183.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe333.exe9783.exe9783GamePlaza_mini.exeserver183.exenet.exe

description	pid	process	target process
PID 2044 wrote to memory of 3252	2044	5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe	9783.exe
PID 2044 wrote to memory of 3252	2044	5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe	9783.exe
PID 2044 wrote to memory of 3252	2044	5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe	9783.exe
PID 2044 wrote to memory of 3256	2044	5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe	333.exe
PID 2044 wrote to memory of 3256	2044	5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe	333.exe
PID 2044 wrote to memory of 3256	2044	5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe	333.exe
PID 3256 wrote to memory of 3364	3256	333.exe	240573515.exe
PID 3256 wrote to memory of 3364	3256	333.exe	240573515.exe
PID 3256 wrote to memory of 3364	3256	333.exe	240573515.exe
PID 3256 wrote to memory of 964	3256	333.exe	cmd.exe
PID 3256 wrote to memory of 964	3256	333.exe	cmd.exe
PID 3256 wrote to memory of 964	3256	333.exe	cmd.exe
PID 3252 wrote to memory of 1156	3252	9783.exe	9783GamePlaza_mini.exe
PID 3252 wrote to memory of 1156	3252	9783.exe	9783GamePlaza_mini.exe
PID 3252 wrote to memory of 1156	3252	9783.exe	9783GamePlaza_mini.exe
PID 3252 wrote to memory of 1244	3252	9783.exe	server183.exe
PID 3252 wrote to memory of 1244	3252	9783.exe	server183.exe
PID 3252 wrote to memory of 1244	3252	9783.exe	server183.exe
PID 1156 wrote to memory of 3832	1156	9783GamePlaza_mini.exe	9783GamePlaza_mini.tmp
PID 1156 wrote to memory of 3832	1156	9783GamePlaza_mini.exe	9783GamePlaza_mini.tmp
PID 1156 wrote to memory of 3832	1156	9783GamePlaza_mini.exe	9783GamePlaza_mini.tmp
PID 1244 wrote to memory of 3500	1244	server183.exe	net.exe
PID 1244 wrote to memory of 3500	1244	server183.exe	net.exe
PID 1244 wrote to memory of 3500	1244	server183.exe	net.exe
PID 3500 wrote to memory of 3980	3500	net.exe	net1.exe
PID 3500 wrote to memory of 3980	3500	net.exe	net1.exe
PID 3500 wrote to memory of 3980	3500	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe
"C:\Users\Admin\AppData\Local\Temp\5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2044

C:\9783.exe
"C:\9783.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3252

C:\9783GamePlaza_mini.exe
"C:\9783GamePlaza_mini.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\is-PQGB1.tmp\9783GamePlaza_mini.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PQGB1.tmp\9783GamePlaza_mini.tmp" /SL5="$A0048,12695405,479744,C:\9783GamePlaza_mini.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3832

C:\server183.exe
"C:\server183.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
4⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
5⤵
PID:3980

C:\333.exe
"C:\333.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Roaming\240573515.exe
"C:\Users\Admin\AppData\Roaming\240573515.exe"
3⤵
- Executes dropped EXE
PID:3364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\333.exe >> NUL
3⤵
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\333.exe

Filesize
92KB

MD5
4c80969658efccec6d6e47f87d4c5aff

SHA1
643f839d60970392a4d11dd42492d5acc0a964c6

SHA256
4ea9d552d38cbefaa1a2287b52fd88154f614ffafd967f8b5ea138e749b2dd4f

SHA512
678e5747e38ad7de0fe74087a3d93c83d83dbe99569a87feccc5cb37950d33795170ec67a96dd749a3f61df9abe23cafd0d4dea5d12ceecef70b67e7d90249ce

Download Submit
C:\333.exe

Filesize
92KB

MD5
4c80969658efccec6d6e47f87d4c5aff

SHA1
643f839d60970392a4d11dd42492d5acc0a964c6

SHA256
4ea9d552d38cbefaa1a2287b52fd88154f614ffafd967f8b5ea138e749b2dd4f

SHA512
678e5747e38ad7de0fe74087a3d93c83d83dbe99569a87feccc5cb37950d33795170ec67a96dd749a3f61df9abe23cafd0d4dea5d12ceecef70b67e7d90249ce

Download Submit
C:\9783.exe

Filesize
12.7MB

MD5
bb7ba5229ed9f855c60c1fc1f7771ae1

SHA1
dfcec11f495c0fd08cd21c904041aac0b83021f0

SHA256
46aff69e14a3222091b50df5c43cd253854e301dc282c14662a0d3dffdf8cead

SHA512
64b1500fa984e505d3ec430d5945e33a30f222972bdb23ceaa23be0e32a611ffb2bf3503015aa579ed852e136bbc1d2195ae9ff879e1bca8bb3db7ccf8355181

Download Submit
C:\9783.exe

Filesize
12.7MB

MD5
bb7ba5229ed9f855c60c1fc1f7771ae1

SHA1
dfcec11f495c0fd08cd21c904041aac0b83021f0

SHA256
46aff69e14a3222091b50df5c43cd253854e301dc282c14662a0d3dffdf8cead

SHA512
64b1500fa984e505d3ec430d5945e33a30f222972bdb23ceaa23be0e32a611ffb2bf3503015aa579ed852e136bbc1d2195ae9ff879e1bca8bb3db7ccf8355181

Download Submit
C:\9783GamePlaza_mini.exe

Filesize
12.5MB

MD5
2607f97d0a5c0102d07a2cb429ffff6d

SHA1
f68cd52ba90abcec2898a791837dcaa9e5f49b96

SHA256
e1afd15cd2b2bdefdae4229205fa598422ba955cf35ed79f11287c700e54bb67

SHA512
81dd1789ab97753dacb7607fc221a3abc4cdd56233dbbbe7b0d4e169c3f71c51617592fadcc9082b346e745c0c5891b2a0eeb21c891698b10ff488eeca5ad087

Download Submit
C:\9783GamePlaza_mini.exe

Filesize
12.5MB

MD5
2607f97d0a5c0102d07a2cb429ffff6d

SHA1
f68cd52ba90abcec2898a791837dcaa9e5f49b96

SHA256
e1afd15cd2b2bdefdae4229205fa598422ba955cf35ed79f11287c700e54bb67

SHA512
81dd1789ab97753dacb7607fc221a3abc4cdd56233dbbbe7b0d4e169c3f71c51617592fadcc9082b346e745c0c5891b2a0eeb21c891698b10ff488eeca5ad087

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MTIAF.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MTIAF.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQGB1.tmp\9783GamePlaza_mini.tmp

Filesize
1.1MB

MD5
938efec9194f3d3651cc95d8e25645fe

SHA1
eaf1d1c8654aa4f84a4a28604b5e5e86182acf55

SHA256
e90d22efde85ec9efff2b271776d388cd358a0848c61d542486fe23cd70f1a69

SHA512
c849f75c2068c9e0c43dd803a1309cadcd4926578ea4a1dc5b217bbf236582188b1970e5f939e503c6e43d11184656871ba8fc6f6352b2202b98f1c23ae69f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQGB1.tmp\9783GamePlaza_mini.tmp

Filesize
1.1MB

MD5
938efec9194f3d3651cc95d8e25645fe

SHA1
eaf1d1c8654aa4f84a4a28604b5e5e86182acf55

SHA256
e90d22efde85ec9efff2b271776d388cd358a0848c61d542486fe23cd70f1a69

SHA512
c849f75c2068c9e0c43dd803a1309cadcd4926578ea4a1dc5b217bbf236582188b1970e5f939e503c6e43d11184656871ba8fc6f6352b2202b98f1c23ae69f4a

Download Submit
C:\Users\Admin\AppData\Roaming\240573515.exe

Filesize
92KB

MD5
4c80969658efccec6d6e47f87d4c5aff

SHA1
643f839d60970392a4d11dd42492d5acc0a964c6

SHA256
4ea9d552d38cbefaa1a2287b52fd88154f614ffafd967f8b5ea138e749b2dd4f

SHA512
678e5747e38ad7de0fe74087a3d93c83d83dbe99569a87feccc5cb37950d33795170ec67a96dd749a3f61df9abe23cafd0d4dea5d12ceecef70b67e7d90249ce

Download Submit
C:\Users\Admin\AppData\Roaming\240573515.exe

Filesize
92KB

MD5
4c80969658efccec6d6e47f87d4c5aff

SHA1
643f839d60970392a4d11dd42492d5acc0a964c6

SHA256
4ea9d552d38cbefaa1a2287b52fd88154f614ffafd967f8b5ea138e749b2dd4f

SHA512
678e5747e38ad7de0fe74087a3d93c83d83dbe99569a87feccc5cb37950d33795170ec67a96dd749a3f61df9abe23cafd0d4dea5d12ceecef70b67e7d90249ce

Download Submit
C:\server183.exe

Filesize
80KB

MD5
b34ae33fd7559ac2cf2e8356fd8932ea

SHA1
6c8f38ec69a34b4a599ed83cba1eb230511080aa

SHA256
c30c4b235df3354f0bd9a062a64bd72e547b34667c1c5c16260078b2411755a3

SHA512
d57c6e791c86fc3a12979095358f21eb1b9acb9e5be93cc4c812f1d7e227224efd91a564d003117957497257e1fd2891e64951c94e772720ecccce4ff2fe5d4a

Download Submit
C:\server183.exe

Filesize
80KB

MD5
b34ae33fd7559ac2cf2e8356fd8932ea

SHA1
6c8f38ec69a34b4a599ed83cba1eb230511080aa

SHA256
c30c4b235df3354f0bd9a062a64bd72e547b34667c1c5c16260078b2411755a3

SHA512
d57c6e791c86fc3a12979095358f21eb1b9acb9e5be93cc4c812f1d7e227224efd91a564d003117957497257e1fd2891e64951c94e772720ecccce4ff2fe5d4a

Download Submit
memory/964-141-0x0000000000000000-mapping.dmp

Download
memory/1156-146-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1156-150-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1156-164-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1156-142-0x0000000000000000-mapping.dmp

Download
memory/1244-151-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1244-154-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1244-153-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1244-145-0x0000000000000000-mapping.dmp

Download
memory/1244-163-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/3252-132-0x0000000000000000-mapping.dmp

Download
memory/3256-135-0x0000000000000000-mapping.dmp

Download
memory/3364-138-0x0000000000000000-mapping.dmp

Download
memory/3500-156-0x0000000000000000-mapping.dmp

Download
memory/3832-162-0x0000000003111000-0x0000000003113000-memory.dmp

Filesize
8KB

Download
memory/3832-155-0x0000000000000000-mapping.dmp

Download
memory/3980-159-0x0000000000000000-mapping.dmp

Download