gh0strat | 5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce

General

Target

5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe
Size

739KB
MD5

541af3301b872d53b12e1b41a2217280
SHA1

648697911465731db9df4d58b6ee940ef67aef64
SHA256

5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce
SHA512

0eea843859a9f6e4b71f7f35e83b94992083e8f1d58d8ae9b3b32314c3126b4d50598dfa578daaed8c7e6df1077253be5a6a5c8c84cd38af3c62915b381657b2
SSDEEP

12288:ja9fxEbo5NjdwmShyJzTzJshqd2PV+xDXsNoEacuIGi5z3:8fxEs5h9TzJshqENoD8uyG2

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000022d9e-134.dat	family_gh0strat
behavioral2/files/0x000c000000022d9e-133.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
2380	417.exe
2384	ºÚÃ¨ÆÆ²Ö¿â.exe
4244	tracert..exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\tracert..exe	ºÚÃ¨ÆÆ²Ö¿â.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4244	tracert..exe
4244	tracert..exe
2384	ºÚÃ¨ÆÆ²Ö¿â.exe
2384	ºÚÃ¨ÆÆ²Ö¿â.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2384	ºÚÃ¨ÆÆ²Ö¿â.exe
2384	ºÚÃ¨ÆÆ²Ö¿â.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 2380	4128	5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe	78
PID 4128 wrote to memory of 2380	4128	5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe	78
PID 4128 wrote to memory of 2380	4128	5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe	78
PID 4128 wrote to memory of 2384	4128	5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe	79
PID 4128 wrote to memory of 2384	4128	5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe	79
PID 4128 wrote to memory of 2384	4128	5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe	79
PID 2384 wrote to memory of 4244	2384	ºÚÃ¨ÆÆ²Ö¿â.exe	84
PID 2384 wrote to memory of 4244	2384	ºÚÃ¨ÆÆ²Ö¿â.exe	84
PID 2384 wrote to memory of 4244	2384	ºÚÃ¨ÆÆ²Ö¿â.exe	84

C:\Users\Admin\AppData\Local\Temp\5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe
"C:\Users\Admin\AppData\Local\Temp\5062e161e201003dc2b5b82822e073b69fe584885b69c7cd56f326cac0a859ce.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\417.exe
  "C:\417.exe"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\ºÚÃ¨ÆÆ²Ö¿â.exe
  "C:\ºÚÃ¨ÆÆ²Ö¿â.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\WINDOWS\SysWOW64\tracert..exe
    C:\WINDOWS\system32\tracert..exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\417.exe

Filesize
124KB

MD5
66955a0482f30f72eedab681799a41e7

SHA1
63b2c667ed01002949ed85831bbd6b334fa6bd20

SHA256
9e7d6ce87e395effc83884dd58cdbe83294588432d1dacbe356c2f50fb0bd650

SHA512
19f035328b4ce9541051e3c25e7d992aaa1ca1ab9f1b60dfc1ba858f238f6b8b0ea4fa47e743d4a72c7d16195cf40182f2c177f43ca9b1860df8cde332d61d46

Download Submit
C:\417.exe

Filesize
124KB

MD5
66955a0482f30f72eedab681799a41e7

SHA1
63b2c667ed01002949ed85831bbd6b334fa6bd20

SHA256
9e7d6ce87e395effc83884dd58cdbe83294588432d1dacbe356c2f50fb0bd650

SHA512
19f035328b4ce9541051e3c25e7d992aaa1ca1ab9f1b60dfc1ba858f238f6b8b0ea4fa47e743d4a72c7d16195cf40182f2c177f43ca9b1860df8cde332d61d46

Download Submit
C:\WINDOWS\SysWOW64\tracert..exe

Filesize
184KB

MD5
dad177dcc3dd8e0b38fdf4d5381c697b

SHA1
dad53b8408de85ea1f9cad53f216b45819032091

SHA256
b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

SHA512
6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

Download Submit
C:\Windows\SysWOW64\tracert..exe

Filesize
184KB

MD5
dad177dcc3dd8e0b38fdf4d5381c697b

SHA1
dad53b8408de85ea1f9cad53f216b45819032091

SHA256
b8333c8d80ab675724de2e5e4adc55b1e217083b0190b4d60b786fb4590c8ad3

SHA512
6f7901d405a9a8013a3dab9a234ee91b06f61ab3c7f6c7d771dcc25bbf743b4e5f3a8d7f46d6179bbaa83b7fae2efe2697c89bcad63338c3c9e0ef4298ece42d

Download Submit
C:\ºÚÃ¨ÆÆ²Ö¿â.exe

Filesize
1.8MB

MD5
1d9a6a5aa024ae5512d50a3312445c13

SHA1
f47a60944331f4e1ff8b9ba625d360a5c683405a

SHA256
cf18a58924f24cc3d69c0bcd240487b6736b0867a824123f23afbdcb278581a6

SHA512
95807fd22e1a29f074af3945c388afb8834a3a991717c67c39a04ccf01e85728df282fd18056182076edd793281eec48485e06ec8805438ab48717b459ab30ff

Download Submit
C:\ºÚÃ¨ÆÆ²Ö¿â.exe

Filesize
1.8MB

MD5
1d9a6a5aa024ae5512d50a3312445c13

SHA1
f47a60944331f4e1ff8b9ba625d360a5c683405a

SHA256
cf18a58924f24cc3d69c0bcd240487b6736b0867a824123f23afbdcb278581a6

SHA512
95807fd22e1a29f074af3945c388afb8834a3a991717c67c39a04ccf01e85728df282fd18056182076edd793281eec48485e06ec8805438ab48717b459ab30ff

Download Submit

Analysis

Sharing