gh0strat | 1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec

General

Target

1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
Size

204KB
MD5

3cc5633a1c10621a9f34cae49cee1d48
SHA1

f20a294698f474d3c1f86a1a8738ca38af7cf7e7
SHA256

1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec
SHA512

bf3246c24e67a0ee407794069585993a44add2376d1ba81fac4c8aac716739d733fceb91c551b5b43de74fc0cc59c7ece54c6125c109a17c303deacce37b3610
SSDEEP

3072:ArBaHAhAtPf6BWHWVXhqPEzO/V1VrNYQkCA+HFSWvF3TBftEnob2RI:8uAh/WHv9DNYtEHhvF3TBlEnob/

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e63-133.dat	family_gh0strat
behavioral2/files/0x0006000000022e63-134.dat	family_gh0strat
behavioral2/files/0x0006000000022e68-137.dat	family_gh0strat
behavioral2/memory/2736-138-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2736-139-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2736	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2736	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yjsoft.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\yjsoft.ini	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\alg.exe	svchost.exe
File opened for modification	C:\windows\alg.exe	svchost.exe
File created	C:\Windows\Sys.VBS	svchost.exe
File created	C:\WINDOWS\FF13.exe	svchost.exe
File created	C:\WINDOWS\FF12.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1680	2736	WerFault.exe	78

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	svchost.exe
Token: SeDebugPrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeRestorePrivilege	2736	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 2736	3792	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe	78
PID 3792 wrote to memory of 2736	3792	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe	78
PID 3792 wrote to memory of 2736	3792	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe	78
PID 2736 wrote to memory of 4820	2736	svchost.exe	81
PID 2736 wrote to memory of 4820	2736	svchost.exe	81
PID 2736 wrote to memory of 4820	2736	svchost.exe	81

C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
"C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Sys.VBS"
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1452
    3⤵
    - Program crash
    PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2736 -ip 2736
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
15.2MB

MD5
ce470b3a02f89d43e1f765e5d59226a8

SHA1
4d0d91ab311eb8602a967c03b9e501894364052c

SHA256
6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

SHA512
5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
15.2MB

MD5
ce470b3a02f89d43e1f765e5d59226a8

SHA1
4d0d91ab311eb8602a967c03b9e501894364052c

SHA256
6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

SHA512
5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

Download Submit
C:\Windows\Sys.VBS

Filesize
1KB

MD5
e5baac34de9a9068a0c901392f21efe5

SHA1
77f9cb2be96bfbf4e0eefb27b759faeb13b50b29

SHA256
7fa5d6fb181d48105524c2836db0671faf8454d7236a74b434075ce64b52a7a9

SHA512
dac036e3136abdb14c799b52f91ccfa39699943b980276d563072d63a5bbd5fdf975cdce04f1df832d8a19735231a7ed9a52eddff2b6f2cc47b4b8a1aa62f374

Download Submit
C:\Windows\SysWOW64\yjsoft.ini

Filesize
152KB

MD5
60c9e406f6ad0ba9104a236786a02e8f

SHA1
110375bd7de771f8b2d793c9f431e8b2b9fa22d9

SHA256
1f14d1da060723cd994d1ddc8d8d714331625a55ba0e13acb2621712b97c353b

SHA512
517a580a6cee7cee0238814cf5a22f2c2b7a4123dc3d2dea82f4e3884b7a8ad90e45f6bdf31b60b080482632f3ed9db3103d7928325e3f0b25dc0327e3c9e7d7

Download Submit
memory/2736-138-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2736-139-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing