gh0strat | 9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff

General

Target

9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe
Size

14.3MB
MD5

6786224c678a7eb8cbb52a99508be342
SHA1

01d7a7e8d3025e60303924527a4714e08a4e8e07
SHA256

9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff
SHA512

3b8c611d5c6cd641633d5610f9926f46f69384088984a6f46986a1e44b2508a28cb50dd6c66fa93577308b7c0e9b7ba764f08bc85b64ddb15eaed350cefda371
SSDEEP

393216:Uv3AL0ZHvdu8IX3SYB3qRZackt9YmLH+SjEDtz:AoaHvduLc0cE9Rnq

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1352-71-0x0000000010000000-0x0000000010033000-memory.dmp	family_gh0strat
behavioral1/memory/1352-67-0x0000000010000000-0x0000000010033000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1080	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe
308	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp

Loads dropped DLL 4 IoCs

pid	Process
1352	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe
1080	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe
308	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp
308	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
308	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1352	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe
1352	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1080	1352	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	28
PID 1352 wrote to memory of 1080	1352	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	28
PID 1352 wrote to memory of 1080	1352	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	28
PID 1352 wrote to memory of 1080	1352	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	28
PID 1080 wrote to memory of 308	1080	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	29
PID 1080 wrote to memory of 308	1080	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	29
PID 1080 wrote to memory of 308	1080	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	29
PID 1080 wrote to memory of 308	1080	9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe	29

C:\Users\Admin\AppData\Local\Temp\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe
"C:\Users\Admin\AppData\Local\Temp\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe
  "C:\Program Files\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\is-JFQ3S.tmp\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JFQ3S.tmp\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp" /SL5="$80150,10472549,56832,C:\Program Files\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe

Filesize
10.3MB

MD5
be1047990f9e470e4d95d19076ceda16

SHA1
af8ebe1b7cbe76238f0aa7007e7ba79bb19f5d27

SHA256
41ecc702f65106f97eda0dc6f0422fe149ab9c8e36a2337888c230228dd58631

SHA512
7c9de3192b6a87d3d33cca4c0a892813a8df1fea99655aeb2ad3afa8e4053bd1ca95622772fe5fb29b7d4b95119862862a601a1168c78466482ced0120bdb34b

Download Submit
C:\Program Files\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe

Filesize
10.3MB

MD5
be1047990f9e470e4d95d19076ceda16

SHA1
af8ebe1b7cbe76238f0aa7007e7ba79bb19f5d27

SHA256
41ecc702f65106f97eda0dc6f0422fe149ab9c8e36a2337888c230228dd58631

SHA512
7c9de3192b6a87d3d33cca4c0a892813a8df1fea99655aeb2ad3afa8e4053bd1ca95622772fe5fb29b7d4b95119862862a601a1168c78466482ced0120bdb34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JFQ3S.tmp\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp

Filesize
702KB

MD5
cfc41d1f903d2662574910200b127751

SHA1
47b2b85fe3e043886d6c028f66b5051344869d0c

SHA256
d6523ca1c700a71b85ad2b64c39b9f04c22d7971933379cb997bfcb09d58772f

SHA512
7a2bc18f6c19a788f387a917975b840dbf8dfc1806385e8ec5b5cfe75b04aae2ad3bc9d639767a9d493eb1df767d7a13e8154c3a8b53d92630bde93bc0c9b5d2

Download Submit
\Program Files\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.exe

Filesize
10.3MB

MD5
be1047990f9e470e4d95d19076ceda16

SHA1
af8ebe1b7cbe76238f0aa7007e7ba79bb19f5d27

SHA256
41ecc702f65106f97eda0dc6f0422fe149ab9c8e36a2337888c230228dd58631

SHA512
7c9de3192b6a87d3d33cca4c0a892813a8df1fea99655aeb2ad3afa8e4053bd1ca95622772fe5fb29b7d4b95119862862a601a1168c78466482ced0120bdb34b

Download Submit
\Users\Admin\AppData\Local\Temp\is-3JF81.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3JF81.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JFQ3S.tmp\9d7adb44c66e553eef3f45bf4d98b0bed0e3f2633f82ebea80da2c3f70806dff.tmp

Filesize
702KB

MD5
cfc41d1f903d2662574910200b127751

SHA1
47b2b85fe3e043886d6c028f66b5051344869d0c

SHA256
d6523ca1c700a71b85ad2b64c39b9f04c22d7971933379cb997bfcb09d58772f

SHA512
7a2bc18f6c19a788f387a917975b840dbf8dfc1806385e8ec5b5cfe75b04aae2ad3bc9d639767a9d493eb1df767d7a13e8154c3a8b53d92630bde93bc0c9b5d2

Download Submit
memory/1080-59-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1080-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1352-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1352-66-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1352-71-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1352-67-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing