gh0strat | a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2

General

Target

a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe
Size

23KB
MD5

f77cfbe18541b4caab96038cf7e3afaa
SHA1

1ed8f61d66be5f3f9977987e489ef8192d5eae9d
SHA256

a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2
SHA512

04d334f5558ddac0716c42b560948945b84a61640da448d657abed758eff7ce046c6297608243a3a5fa7d58e384cf3ca17b4fa947d7291438f454b98bd78af62
SSDEEP

384:U2WW6Vid5eR3KyhU1M4DGPhCasZKjKj39/EggzGBkSwxk:FcidU9KyhaM4DGIZKjKj9MPgkA

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/316-143-0x0000000010000000-0x0000000010014000-memory.dmp	family_gh0strat
behavioral2/memory/316-147-0x0000000003B50000-0x0000000003C9A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
316	uptips.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	uptips.tmp
File opened (read-only)	\??\F:	uptips.tmp
File opened (read-only)	\??\N:	uptips.tmp
File opened (read-only)	\??\R:	uptips.tmp
File opened (read-only)	\??\Z:	uptips.tmp
File opened (read-only)	\??\J:	uptips.tmp
File opened (read-only)	\??\K:	uptips.tmp
File opened (read-only)	\??\L:	uptips.tmp
File opened (read-only)	\??\O:	uptips.tmp
File opened (read-only)	\??\Q:	uptips.tmp
File opened (read-only)	\??\U:	uptips.tmp
File opened (read-only)	\??\E:	uptips.tmp
File opened (read-only)	\??\G:	uptips.tmp
File opened (read-only)	\??\I:	uptips.tmp
File opened (read-only)	\??\X:	uptips.tmp
File opened (read-only)	\??\H:	uptips.tmp
File opened (read-only)	\??\M:	uptips.tmp
File opened (read-only)	\??\P:	uptips.tmp
File opened (read-only)	\??\S:	uptips.tmp
File opened (read-only)	\??\T:	uptips.tmp
File opened (read-only)	\??\V:	uptips.tmp
File opened (read-only)	\??\W:	uptips.tmp
File opened (read-only)	\??\Y:	uptips.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	uptips.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	uptips.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1408	a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe
1408	a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe
316	uptips.tmp
316	uptips.tmp
316	uptips.tmp
316	uptips.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 4120	1408	a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe	83
PID 1408 wrote to memory of 4120	1408	a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe	83
PID 1408 wrote to memory of 4120	1408	a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe	83
PID 4120 wrote to memory of 316	4120	cmd.exe	85
PID 4120 wrote to memory of 316	4120	cmd.exe	85
PID 4120 wrote to memory of 316	4120	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe
"C:\Users\Admin\AppData\Local\Temp\a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Downloads\uptips.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Public\Downloads\uptips.tmp
    C:\Users\Public\Downloads\uptips.tmp
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
d5d82c08e6fd869fbaaaaf1765526e41

SHA1
94b72e5ed611060f4b465502ac2ae4feedc89575

SHA256
feb7a9e2a2e668c38ca21a509c6f235afb74f9576b24f69942f6efd3261db142

SHA512
e7eaf0e293b5c49674cab857140d0d8568ef12f7aa1c5d3410c59601192a61b56bc7d1ecc83f232be87dd3f7ad40c422c0b78a6cc741892aa9164f37437e0deb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_62C9125CF87A74A6C1401156850C787B

Filesize
278B

MD5
68b1f02f17a7d0caa1a5f68a35166f7f

SHA1
b15f8c083dca749825d17f54cccd003017531102

SHA256
1ab05e917256ced6d09e9327483fad5124fb2c24c316b3159f9b7e7137635382

SHA512
c5c4415d82a39313bde5fc3d596e8b235915b39d3e4f51e952e48a0732c40f93e59a4c12ddc8d8559556270c12d6477e341cc2759a03671654ddba74aaceb8be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
4dec721e2b2a503a912799ab047f3aeb

SHA1
2370df49df2212403dd6e8d479493afe176e9154

SHA256
802138c8cfc52b6ab43d3df07444392839acd412fff385347a2069fce625f2e0

SHA512
8738882813dc9dbef1d6e7a4d22a087553cbd9bc3ac77af9ecb4e8345a7bfdc189757b599e8ca354cdb8e3b0f063beb63477ed9b6a2ddedafbfe25da2e490916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_62C9125CF87A74A6C1401156850C787B

Filesize
396B

MD5
955eb8f9094fb3b2e0fe8c31077efaea

SHA1
264eb5b528a5fdb2d7ff43ffe65b4801c6c2094f

SHA256
2deea1712ccaabedea7fc4b38c412663b3ec2e0718a277b51533c91b0218fa83

SHA512
ecefa71ad51fae76d51bd58e26faadb2956a94e514428e806b1928717df0dabb66a4aa5d709a33a00cd1f57f0a8775baf013ac2ef1cf6d7ddf40dc6f060b88ba

Download Submit
C:\Users\Public\Downloads\uptips.tmp

Filesize
23KB

MD5
f77cfbe18541b4caab96038cf7e3afaa

SHA1
1ed8f61d66be5f3f9977987e489ef8192d5eae9d

SHA256
a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2

SHA512
04d334f5558ddac0716c42b560948945b84a61640da448d657abed758eff7ce046c6297608243a3a5fa7d58e384cf3ca17b4fa947d7291438f454b98bd78af62

Download Submit
C:\Users\Public\Downloads\uptips.tmp

Filesize
23KB

MD5
f77cfbe18541b4caab96038cf7e3afaa

SHA1
1ed8f61d66be5f3f9977987e489ef8192d5eae9d

SHA256
a09ca26f20b2157dfb6b8210d1da2fcf7c970356136ddae0eb2a5691021f9bd2

SHA512
04d334f5558ddac0716c42b560948945b84a61640da448d657abed758eff7ce046c6297608243a3a5fa7d58e384cf3ca17b4fa947d7291438f454b98bd78af62

Download Submit
memory/316-143-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/316-146-0x00000000032A0000-0x00000000032CD000-memory.dmp

Filesize
180KB

Download
memory/316-147-0x0000000003B50000-0x0000000003C9A000-memory.dmp

Filesize
1.3MB

Download
memory/1408-132-0x0000000003570000-0x00000000035BE000-memory.dmp

Filesize
312KB

Download
memory/1408-135-0x00000000035C0000-0x00000000035ED000-memory.dmp

Filesize
180KB

Download
memory/1408-133-0x00000000035C0000-0x00000000035ED000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads