gh0strat | d4989fbd8ab2cd81f7e882649dcd1cf1c27b48a7e1895538d557469b307571d2

General

Target

06958f1b31d88752a1ba9b11b19424a2.exe
Size

473KB
MD5

06958f1b31d88752a1ba9b11b19424a2
SHA1

498359f2df703ad8d6fb0a897d306736096ba7aa
SHA256

d4989fbd8ab2cd81f7e882649dcd1cf1c27b48a7e1895538d557469b307571d2
SHA512

8e00fc9ca52551c47244372b00d8b624d049b7abe301160bae599c561f9960044218cb9d6f74ed177ec149220bca45a1d70ae397bcd251fc438a9808b08db2d7
SSDEEP

12288:nsaY8revhYIOyzGWIyr+VtivWByO/c690YWLF56KID:B/repYIOyZ+VtS301uNv0

Score

10^/10

gh0strat aspackv2 persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe	family_gh0strat
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe	family_gh0strat
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe	family_gh0strat
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½ÃË±à¼Æ÷.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½ÃË±à¼Æ÷.exe	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

MuÕ½ÃË±à¼Æ÷.exeserver.exesvchost.exe

pid process

3040 MuÕ½ÃË±à¼Æ÷.exe
3600 server.exe
3364 svchost.exe

pid	process
3040	MuÕ½ÃË±à¼Æ÷.exe
3600	server.exe
3364	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3620-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/3620-133-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/3620-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

06958f1b31d88752a1ba9b11b19424a2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	06958f1b31d88752a1ba9b11b19424a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\2016916113342	svchost.exe
File opened for modification	C:\Windows\SysWOW64\2016916113342	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\WINDOWS\V2011.exe svchost.exe
File created C:\WINDOWS\V2011.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\WINDOWS\V2011.exe	svchost.exe
File created	C:\WINDOWS\V2011.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

server.exesvchost.exe

pid	process
3600	server.exe
3600	server.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

3364 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 3364 svchost.exe

pid	process
3364	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3364	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

06958f1b31d88752a1ba9b11b19424a2.exeserver.exe

description	pid	process	target process
PID 3620 wrote to memory of 3040	3620	06958f1b31d88752a1ba9b11b19424a2.exe	MuÕ½ÃË±à¼Æ÷.exe
PID 3620 wrote to memory of 3040	3620	06958f1b31d88752a1ba9b11b19424a2.exe	MuÕ½ÃË±à¼Æ÷.exe
PID 3620 wrote to memory of 3040	3620	06958f1b31d88752a1ba9b11b19424a2.exe	MuÕ½ÃË±à¼Æ÷.exe
PID 3620 wrote to memory of 3600	3620	06958f1b31d88752a1ba9b11b19424a2.exe	server.exe
PID 3620 wrote to memory of 3600	3620	06958f1b31d88752a1ba9b11b19424a2.exe	server.exe
PID 3620 wrote to memory of 3600	3620	06958f1b31d88752a1ba9b11b19424a2.exe	server.exe
PID 3600 wrote to memory of 3364	3600	server.exe	svchost.exe
PID 3600 wrote to memory of 3364	3600	server.exe	svchost.exe
PID 3600 wrote to memory of 3364	3600	server.exe	svchost.exe
PID 3600 wrote to memory of 4084	3600	server.exe	cmd.exe
PID 3600 wrote to memory of 4084	3600	server.exe	cmd.exe
PID 3600 wrote to memory of 4084	3600	server.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\06958f1b31d88752a1ba9b11b19424a2.exe
"C:\Users\Admin\AppData\Local\Temp\06958f1b31d88752a1ba9b11b19424a2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½ÃË±à¼Æ÷.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½ÃË±à¼Æ÷.exe"
2⤵
- Executes dropped EXE
PID:3040

C:\Users\Admin\AppData\Local\Temp\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
3⤵
PID:4084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½ÃË±à¼Æ÷.exe
Filesize
372KB

MD5
29416110d4cb995431cb69d5ce027cd3

SHA1
bf9112166fb90e4440f1d4496e022cf88d5c2d2a

SHA256
72401d35cf04cb934a232c629d2bd8b4333375df0063d8cb3c050ab27b555db5

SHA512
a15a3570c686c9b7ff0ffcaeb8261e66e1b5d30390bcde3a940c305c8fd7490007484713b37cfea95da8812cd090a210cc6afe58333091eabb9fa109e982d5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½ÃË±à¼Æ÷.exe
Filesize
372KB

MD5
29416110d4cb995431cb69d5ce027cd3

SHA1
bf9112166fb90e4440f1d4496e022cf88d5c2d2a

SHA256
72401d35cf04cb934a232c629d2bd8b4333375df0063d8cb3c050ab27b555db5

SHA512
a15a3570c686c9b7ff0ffcaeb8261e66e1b5d30390bcde3a940c305c8fd7490007484713b37cfea95da8812cd090a210cc6afe58333091eabb9fa109e982d5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe
Filesize
204KB

MD5
d008818e7d7d9879a14fb9f4ea73424a

SHA1
cf4272699397b24bb82e8efa283c296ff23d5eef

SHA256
8613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef

SHA512
90f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe
Filesize
204KB

MD5
d008818e7d7d9879a14fb9f4ea73424a

SHA1
cf4272699397b24bb82e8efa283c296ff23d5eef

SHA256
8613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef

SHA512
90f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646

Download Submit
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
Filesize
204KB

MD5
d008818e7d7d9879a14fb9f4ea73424a

SHA1
cf4272699397b24bb82e8efa283c296ff23d5eef

SHA256
8613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef

SHA512
90f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646

Download Submit
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
Filesize
204KB

MD5
d008818e7d7d9879a14fb9f4ea73424a

SHA1
cf4272699397b24bb82e8efa283c296ff23d5eef

SHA256
8613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef

SHA512
90f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat
Filesize
2KB

MD5
224467b852777be7c3f78bbdbe7b8ac1

SHA1
9fd26140ca6be8c1911767b908bc5ba8009b4825

SHA256
bc88b96014ebe9291ea65e654e12942fd203f9600a6f045ba8e8c10c635c2a3c

SHA512
95452b3564e5f4fff8121c6509a6fd4ea1169b3935f7ed2ff27daf12ad6f611a643ef522d1c0d261775ddfcfbd74ddfe199557d7ada501bee6e1626aa99f58f5

Download Submit
memory/3040-134-0x0000000000000000-mapping.dmp

Download
memory/3364-141-0x0000000000000000-mapping.dmp

Download
memory/3600-137-0x0000000000000000-mapping.dmp

Download
memory/3620-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3620-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3620-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4084-144-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads