gh0strat | 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7

General

Target

2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe
Size

175KB
MD5

595fd6cbd1f481b47f418ac0bc33ed77
SHA1

e2963683df4f6c2713f5a2a5bbddf71bcfeed220
SHA256

2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7
SHA512

9f2aa78b939560277b4c4991ce416dfa9bb01abe06eda4830625231245c4c9bf7be0baf4512b4113d036c0cb9422fa6d14be3d69b1c6322104fbe66300ed6257
SSDEEP

3072:HwRH8SJuKDjXTklcU7TRYMla/U1NaHJxjEdlRh1BtD/qk7E5aGVOke54eKFYQu7F:HaBjDkFRYMlwLAb9BtG6+aoOkwkCQuvZ

Score

10^/10

gh0strat persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3812-142-0x0000000010000000-0x0000000010023000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 3 IoCs

Processes:

lei.EXEleii.EXEleiii.EXE

pid process

2312 lei.EXE
216 leii.EXE
3812 leiii.EXE

pid	process
2312	lei.EXE
216	leii.EXE
3812	leiii.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1440-141-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/1440-160-0x0000000000400000-0x00000000004AE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exelei.EXEleiii.EXEleii.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Hal = "c:\\sott.exe"	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lei.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\23A1C2AD = "C:\\Windows\\23A1C2AD\\svchsot.exe"	lei.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	leiii.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3FB9296B = "C:\\Windows\\3FB9296B\\svchsot.exe"	leiii.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	leii.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\87338114 = "C:\\Windows\\87338114\\svchsot.exe"	leii.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe

Drops file in Windows directory 6 IoCs

Processes:

lei.EXEleiii.EXEleii.EXE

description	ioc	process
File created	C:\Windows\23A1C2AD\svchsot.exe	lei.EXE
File opened for modification	C:\Windows\23A1C2AD\svchsot.exe	lei.EXE
File created	C:\Windows\3FB9296B\svchsot.exe	leiii.EXE
File opened for modification	C:\Windows\3FB9296B\svchsot.exe	leiii.EXE
File created	C:\Windows\87338114\svchsot.exe	leii.EXE
File opened for modification	C:\Windows\87338114\svchsot.exe	leii.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

leiii.EXElei.EXEleii.EXE

pid	process
3812	leiii.EXE
3812	leiii.EXE
2312	lei.EXE
2312	lei.EXE
3812	leiii.EXE
3812	leiii.EXE
2312	lei.EXE
2312	lei.EXE
216	leii.EXE
216	leii.EXE
216	leii.EXE
216	leii.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

lei.EXEleiii.EXEleii.EXE

description	pid	process
Token: SeDebugPrivilege	2312	lei.EXE
Token: SeDebugPrivilege	2312	lei.EXE
Token: SeDebugPrivilege	3812	leiii.EXE
Token: SeDebugPrivilege	3812	leiii.EXE
Token: SeDebugPrivilege	216	leii.EXE
Token: SeDebugPrivilege	216	leii.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exelei.EXEleiii.EXEleii.EXEnet.exenet.exenet.exe

description	pid	process	target process
PID 1440 wrote to memory of 2312	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	lei.EXE
PID 1440 wrote to memory of 2312	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	lei.EXE
PID 1440 wrote to memory of 2312	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	lei.EXE
PID 1440 wrote to memory of 216	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	leii.EXE
PID 1440 wrote to memory of 216	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	leii.EXE
PID 1440 wrote to memory of 216	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	leii.EXE
PID 1440 wrote to memory of 3812	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	leiii.EXE
PID 1440 wrote to memory of 3812	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	leiii.EXE
PID 1440 wrote to memory of 3812	1440	2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe	leiii.EXE
PID 2312 wrote to memory of 2768	2312	lei.EXE	net.exe
PID 2312 wrote to memory of 2768	2312	lei.EXE	net.exe
PID 2312 wrote to memory of 2768	2312	lei.EXE	net.exe
PID 3812 wrote to memory of 4936	3812	leiii.EXE	net.exe
PID 3812 wrote to memory of 4936	3812	leiii.EXE	net.exe
PID 3812 wrote to memory of 4936	3812	leiii.EXE	net.exe
PID 216 wrote to memory of 4912	216	leii.EXE	net.exe
PID 216 wrote to memory of 4912	216	leii.EXE	net.exe
PID 216 wrote to memory of 4912	216	leii.EXE	net.exe
PID 2768 wrote to memory of 1984	2768	net.exe	net1.exe
PID 2768 wrote to memory of 1984	2768	net.exe	net1.exe
PID 2768 wrote to memory of 1984	2768	net.exe	net1.exe
PID 4912 wrote to memory of 1828	4912	net.exe	net1.exe
PID 4912 wrote to memory of 1828	4912	net.exe	net1.exe
PID 4912 wrote to memory of 1828	4912	net.exe	net1.exe
PID 4936 wrote to memory of 3084	4936	net.exe	net1.exe
PID 4936 wrote to memory of 3084	4936	net.exe	net1.exe
PID 4936 wrote to memory of 3084	4936	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe
"C:\Users\Admin\AppData\Local\Temp\2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1440

C:\lei.EXE
C:\lei.EXE
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
4⤵
PID:1984

C:\leii.EXE
C:\leii.EXE
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
3⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
4⤵
PID:1828

C:\leiii.EXE
C:\leiii.EXE
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
3⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
4⤵
PID:3084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\lei.EXE

Filesize
216KB

MD5
162ca20ef8ea6b71ee6fad3e27639b8d

SHA1
a3c64daf3e3a33ccd517cb667fe6bdb180bafa1c

SHA256
fb7cb898249331790349a213dd555887a7ba80ea97b6bb59f39f0dccb5de9dc5

SHA512
31e18744a8407f13dbb78804382e1f12d1f880fa84d11f1cc05c68d6465ec97dfa158e0c4ed8ce64bf91cb5a4e6996e28bae6656b77b2fa3c36b51d876ac8669

Download Submit
C:\lei.EXE

Filesize
216KB

MD5
162ca20ef8ea6b71ee6fad3e27639b8d

SHA1
a3c64daf3e3a33ccd517cb667fe6bdb180bafa1c

SHA256
fb7cb898249331790349a213dd555887a7ba80ea97b6bb59f39f0dccb5de9dc5

SHA512
31e18744a8407f13dbb78804382e1f12d1f880fa84d11f1cc05c68d6465ec97dfa158e0c4ed8ce64bf91cb5a4e6996e28bae6656b77b2fa3c36b51d876ac8669

Download Submit
C:\leii.EXE

Filesize
216KB

MD5
7f00b395a356f5bb1ceffd779ed8ffa7

SHA1
a6f1968b403d96d382521466e0d6c4ac2cb868c6

SHA256
1ba6ff06f32475f5796a406c240a9f1c58e2fd06069c87b3ce55194510e59735

SHA512
6c466ff147913356689dad4c7de5b8c652a59740f7f18b8348420bba5e2c5b648113a7ca5519da2369717122ce13509c461b9bdb498a9bf2a08b2da8e20aa467

Download Submit
C:\leii.EXE

Filesize
216KB

MD5
7f00b395a356f5bb1ceffd779ed8ffa7

SHA1
a6f1968b403d96d382521466e0d6c4ac2cb868c6

SHA256
1ba6ff06f32475f5796a406c240a9f1c58e2fd06069c87b3ce55194510e59735

SHA512
6c466ff147913356689dad4c7de5b8c652a59740f7f18b8348420bba5e2c5b648113a7ca5519da2369717122ce13509c461b9bdb498a9bf2a08b2da8e20aa467

Download Submit
C:\leiii.EXE

Filesize
216KB

MD5
93aa18cf26e67dcd3110feecc11a1aa8

SHA1
6c663a9e46e572b23ebc295cc627e4b2a3c77306

SHA256
d6976cae1694e34ec112d9b1d6e94adb238f3e1e69caf827b4d6312b78ddbbb5

SHA512
14ddd9aa5389af9ae4e5c9dfd4ce6db66d57e52727eee5a435a26e38c323f61acab1bd450707908f4569a8ff47d403a30ecf492991b93e848296d2f27235e666

Download Submit
C:\leiii.EXE

Filesize
216KB

MD5
93aa18cf26e67dcd3110feecc11a1aa8

SHA1
6c663a9e46e572b23ebc295cc627e4b2a3c77306

SHA256
d6976cae1694e34ec112d9b1d6e94adb238f3e1e69caf827b4d6312b78ddbbb5

SHA512
14ddd9aa5389af9ae4e5c9dfd4ce6db66d57e52727eee5a435a26e38c323f61acab1bd450707908f4569a8ff47d403a30ecf492991b93e848296d2f27235e666

Download Submit
memory/216-135-0x0000000000000000-mapping.dmp

Download
memory/1440-141-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1440-160-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1828-158-0x0000000000000000-mapping.dmp

Download
memory/1984-157-0x0000000000000000-mapping.dmp

Download
memory/2312-132-0x0000000000000000-mapping.dmp

Download
memory/2768-154-0x0000000000000000-mapping.dmp

Download
memory/3084-159-0x0000000000000000-mapping.dmp

Download
memory/3812-138-0x0000000000000000-mapping.dmp

Download
memory/3812-142-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4912-156-0x0000000000000000-mapping.dmp

Download
memory/4936-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads