gh0strat | 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee

General

Target

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe
Size

1.8MB
MD5

5e4e6beee345bc64fb79b527f24cbdbb
SHA1

eb09e2cac1201f6859a2a32617c38ca8ca3e29dd
SHA256

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee
SHA512

011758622d12280a9ea6d51874fd108294c54f2554996a480b24d6e6ba4ab1e848612b16fda0ba6b0ec2e1450b1a18cfc064400245e103ae8714a7c389095c97
SSDEEP

49152:bpobWsin5UdSluJGOjft7sEFF5fSJbTwU9rT4nRmzD2rlWT:dobQ5uSrOjfi454bTwizDxT

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Server.exe	family_gh0strat
C:\Server.exe	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmp	acprotect

Executes dropped EXE 2 IoCs

Processes:

ÐÞ¸´.exeServer.exe

pid process

1332 ÐÞ¸´.exe
1928 Server.exe

pid	process
1332	ÐÞ¸´.exe
1928	Server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe

Loads dropped DLL 2 IoCs

Processes:

ÐÞ¸´.exe

pid process

1332 ÐÞ¸´.exe
1332 ÐÞ¸´.exe
Drops file in Program Files directory 1 IoCs

Processes:

Server.exe

description ioc process

File created C:\Program Files (x86)\wi240830703nd.temp Server.exe
Drops file in Windows directory 1 IoCs

Processes:

Server.exe

description ioc process

File opened for modification C:\Windows\MySomeInfo.ini Server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Server.exe

pid process

1928 Server.exe
1928 Server.exe

pid	process
1332	ÐÞ¸´.exe
1332	ÐÞ¸´.exe

description	ioc	process
File created	C:\Program Files (x86)\wi240830703nd.temp	Server.exe

description	ioc	process
File opened for modification	C:\Windows\MySomeInfo.ini	Server.exe

pid	process
1928	Server.exe
1928	Server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe

description	pid	process	target process
PID 3268 wrote to memory of 1332	3268	304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe	ÐÞ¸´.exe
PID 3268 wrote to memory of 1332	3268	304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe	ÐÞ¸´.exe
PID 3268 wrote to memory of 1332	3268	304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe	ÐÞ¸´.exe
PID 3268 wrote to memory of 1928	3268	304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe	Server.exe
PID 3268 wrote to memory of 1928	3268	304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe	Server.exe
PID 3268 wrote to memory of 1928	3268	304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe
"C:\Users\Admin\AppData\Local\Temp\304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3268

C:\ÐÞ¸´.exe
"C:\ÐÞ¸´.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332

C:\Server.exe
"C:\Server.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Server.exe
Filesize
157KB

MD5
0ed8d43d8f4e3f766d5a7478875334e5

SHA1
cf1779a1cb34ca5bfff9418d64a19b1c9bcc4d30

SHA256
1274fd21aebb6567eb888496d6bb9f3fe0f5af75ee86352adf367fef0976e813

SHA512
be4999e11c262d123cd5cf75d24638493e9558c56d759d6ac5daaeaf5e81ef93655de06e1588a578c28ab6701a1c11f1b7ab13a78c872aa0a80ca664744c4c87

Download Submit
C:\Server.exe
Filesize
157KB

MD5
0ed8d43d8f4e3f766d5a7478875334e5

SHA1
cf1779a1cb34ca5bfff9418d64a19b1c9bcc4d30

SHA256
1274fd21aebb6567eb888496d6bb9f3fe0f5af75ee86352adf367fef0976e813

SHA512
be4999e11c262d123cd5cf75d24638493e9558c56d759d6ac5daaeaf5e81ef93655de06e1588a578c28ab6701a1c11f1b7ab13a78c872aa0a80ca664744c4c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\ÐÞ¸´.exe
Filesize
4.8MB

MD5
3517b7e7eaa58562d0878a76a2221974

SHA1
55a9ef7019b3d11329779e6d8c56317caa3bbad2

SHA256
c2b945574253e3770f86ea667960aa81767b4d5794b9494c0f7c22cf22b32fee

SHA512
985a3b53d46e49f4f4e83c2277e7368f34676915bcfc62957dfe6b3c213e1f41b6713a7f6f40de6685a2ce1775eb99380fe1802d1f52d225fa7ce4adf95e98b9

Download Submit
C:\ÐÞ¸´.exe
Filesize
4.8MB

MD5
3517b7e7eaa58562d0878a76a2221974

SHA1
55a9ef7019b3d11329779e6d8c56317caa3bbad2

SHA256
c2b945574253e3770f86ea667960aa81767b4d5794b9494c0f7c22cf22b32fee

SHA512
985a3b53d46e49f4f4e83c2277e7368f34676915bcfc62957dfe6b3c213e1f41b6713a7f6f40de6685a2ce1775eb99380fe1802d1f52d225fa7ce4adf95e98b9

Download Submit
memory/1332-132-0x0000000000000000-mapping.dmp

Download
memory/1332-135-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/1332-141-0x0000000000A40000-0x0000000000AB3000-memory.dmp

Filesize
460KB

Download
memory/1928-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads