gh0strat | d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625

General

Target

d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe
Size

192KB
MD5

e60054048586f1fd899026fa9518bf05
SHA1

786f2d45dc1787907a01da1a92d51e6b7b421193
SHA256

d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625
SHA512

97b13e6c4a8cce3fbf3570b5b44515ca2f7c4836923abe22388b50f5503c36bfbe3549c57a3ad025e0c013fe466beee19cca6f97a144ed0a83428bff7ecb9891
SSDEEP

3072:OLk395hYXJmvg7vbbDS7qPetsloM65IrytY0lE2BxUB4RI+JtSE0RP3OEOsvZ/ge:OQqtr+qPJoEAu2TUmzXSrOsR2c

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012314-55.dat	family_gh0strat
behavioral1/files/0x000c000000012314-56.dat	family_gh0strat
behavioral1/files/0x000c000000012314-58.dat	family_gh0strat
behavioral1/files/0x000c000000012314-60.dat	family_gh0strat
behavioral1/files/0x000c000000012314-61.dat	family_gh0strat
behavioral1/files/0x000c000000012314-62.dat	family_gh0strat
behavioral1/files/0x000c000000012314-63.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1232	2013829125935.exe

Loads dropped DLL 5 IoCs

pid	Process
936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe
936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe
1232	2013829125935.exe
1232	2013829125935.exe
1232	2013829125935.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1232	2013829125935.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1232	936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe	28
PID 936 wrote to memory of 1232	936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe	28
PID 936 wrote to memory of 1232	936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe	28
PID 936 wrote to memory of 1232	936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe	28
PID 936 wrote to memory of 1232	936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe	28
PID 936 wrote to memory of 1232	936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe	28
PID 936 wrote to memory of 1232	936	d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe	28

C:\Users\Admin\AppData\Local\Temp\d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe
"C:\Users\Admin\AppData\Local\Temp\d8c1c40bab3b790ac9ceffefc2c1954ab6613fa71773a24bee5667ead21a6625.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\temp\2013829125935.exe
  "C:\Windows\temp\2013829125935.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\2013829125935.exe

Filesize
328KB

MD5
150d1e80e1fd4a32d22f4f10f9c8cdba

SHA1
1c7314119683576973c93f6c6b5909880c4d98e0

SHA256
a6bc8cc33fbfb822cde309f67e7e674ecf0dcbbd75f5230e09d218c1d8085fe4

SHA512
736cb9345150904228920592067d9ffc1192f2ab5437319eae8da667bf9886d23a956a42e6312434e361827e03f37aeb4f23a1ae42a29d52be0cd1ddde702009

Download Submit
C:\Windows\temp\2013829125935.exe

Filesize
328KB

MD5
150d1e80e1fd4a32d22f4f10f9c8cdba

SHA1
1c7314119683576973c93f6c6b5909880c4d98e0

SHA256
a6bc8cc33fbfb822cde309f67e7e674ecf0dcbbd75f5230e09d218c1d8085fe4

SHA512
736cb9345150904228920592067d9ffc1192f2ab5437319eae8da667bf9886d23a956a42e6312434e361827e03f37aeb4f23a1ae42a29d52be0cd1ddde702009

Download Submit
\Windows\Temp\2013829125935.exe

Filesize
328KB

MD5
150d1e80e1fd4a32d22f4f10f9c8cdba

SHA1
1c7314119683576973c93f6c6b5909880c4d98e0

SHA256
a6bc8cc33fbfb822cde309f67e7e674ecf0dcbbd75f5230e09d218c1d8085fe4

SHA512
736cb9345150904228920592067d9ffc1192f2ab5437319eae8da667bf9886d23a956a42e6312434e361827e03f37aeb4f23a1ae42a29d52be0cd1ddde702009

Download Submit
\Windows\Temp\2013829125935.exe

Filesize
328KB

MD5
150d1e80e1fd4a32d22f4f10f9c8cdba

SHA1
1c7314119683576973c93f6c6b5909880c4d98e0

SHA256
a6bc8cc33fbfb822cde309f67e7e674ecf0dcbbd75f5230e09d218c1d8085fe4

SHA512
736cb9345150904228920592067d9ffc1192f2ab5437319eae8da667bf9886d23a956a42e6312434e361827e03f37aeb4f23a1ae42a29d52be0cd1ddde702009

Download Submit
\Windows\Temp\2013829125935.exe

Filesize
328KB

MD5
150d1e80e1fd4a32d22f4f10f9c8cdba

SHA1
1c7314119683576973c93f6c6b5909880c4d98e0

SHA256
a6bc8cc33fbfb822cde309f67e7e674ecf0dcbbd75f5230e09d218c1d8085fe4

SHA512
736cb9345150904228920592067d9ffc1192f2ab5437319eae8da667bf9886d23a956a42e6312434e361827e03f37aeb4f23a1ae42a29d52be0cd1ddde702009

Download Submit
\Windows\Temp\2013829125935.exe

Filesize
328KB

MD5
150d1e80e1fd4a32d22f4f10f9c8cdba

SHA1
1c7314119683576973c93f6c6b5909880c4d98e0

SHA256
a6bc8cc33fbfb822cde309f67e7e674ecf0dcbbd75f5230e09d218c1d8085fe4

SHA512
736cb9345150904228920592067d9ffc1192f2ab5437319eae8da667bf9886d23a956a42e6312434e361827e03f37aeb4f23a1ae42a29d52be0cd1ddde702009

Download Submit
\Windows\Temp\2013829125935.exe

Filesize
328KB

MD5
150d1e80e1fd4a32d22f4f10f9c8cdba

SHA1
1c7314119683576973c93f6c6b5909880c4d98e0

SHA256
a6bc8cc33fbfb822cde309f67e7e674ecf0dcbbd75f5230e09d218c1d8085fe4

SHA512
736cb9345150904228920592067d9ffc1192f2ab5437319eae8da667bf9886d23a956a42e6312434e361827e03f37aeb4f23a1ae42a29d52be0cd1ddde702009

Download Submit
memory/936-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing