gh0strat | c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f

General

Target

c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
Size

265KB
MD5

45729bf569e59f3cdf6fe7f034e193f5
SHA1

4ea54e308fd6b8ef8a672cc10a85a93314aa0931
SHA256

c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f
SHA512

788c07ea0b1eb96b996b9f576b95919784c368d49e51f18f92f5b89f64bce6e4de056f898f7e449945a47b1149a6ca86c8c5388a6132ab187ababd46c9c7f962
SSDEEP

6144:OK/egei1t/9FR1eTboMM4Zs0vcLKMsHleE8wUV7lZ:D/egeiDVL5IHCwaH

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1356-58-0x0000000000400000-0x000000000047B000-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000132fb-69.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
268	eitugkutrwrd.exe

Loads dropped DLL 5 IoCs

pid	Process
1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
268	eitugkutrwrd.exe
268	eitugkutrwrd.exe
268	eitugkutrwrd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loveuu.bat	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
File created	C:\Program Files\cqehii\eitugkutrwrd.dll	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
File opened for modification	C:\Program Files\Common Files\qiuqiu.cpp	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
File created	C:\Program Files\Common Files\qiuqiu.cpp	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
File created	C:\Program Files\cqehii\itugkutrwrdf.exe	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
File created	C:\Program Files\cqehii\eitugkutrwrd.exe	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
584	sc.exe
1500	sc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 268	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	28
PID 1356 wrote to memory of 268	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	28
PID 1356 wrote to memory of 268	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	28
PID 1356 wrote to memory of 268	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	28
PID 1356 wrote to memory of 268	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	28
PID 1356 wrote to memory of 268	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	28
PID 1356 wrote to memory of 268	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	28
PID 1356 wrote to memory of 584	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	29
PID 1356 wrote to memory of 584	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	29
PID 1356 wrote to memory of 584	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	29
PID 1356 wrote to memory of 584	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	29
PID 1356 wrote to memory of 584	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	29
PID 1356 wrote to memory of 584	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	29
PID 1356 wrote to memory of 584	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	29
PID 1356 wrote to memory of 1500	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	30
PID 1356 wrote to memory of 1500	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	30
PID 1356 wrote to memory of 1500	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	30
PID 1356 wrote to memory of 1500	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	30
PID 1356 wrote to memory of 1500	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	30
PID 1356 wrote to memory of 1500	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	30
PID 1356 wrote to memory of 1500	1356	c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe	30

C:\Users\Admin\AppData\Local\Temp\c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe
"C:\Users\Admin\AppData\Local\Temp\c6b45fec01c99945354839e8a9d39f11ac217ed382466803043d2c64aabd815f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Program Files\cqehii\eitugkutrwrd.exe
  "C:\Program Files\cqehii\eitugkutrwrd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:268
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:584
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\cqehii\eitugkutrwrd.dll

Filesize
90.9MB

MD5
a284f2507377f714a93328a2317ac4f5

SHA1
910668683a3008b3dc9c6f453ed40f8794fad119

SHA256
d623228097d97b7701c549c69f8735f77bd5f0379ff9697fc3ed2dbf6ce4d091

SHA512
fc3e9f81ec5df2148203495ce105537de716ca1b0a3f4eb4ea4c0e4e774842a7cc33f84ab317522bd1b4a6394c5fb7f1f0221f7854b9a9f4979184df793978ed

Download Submit
C:\Program Files\cqehii\eitugkutrwrd.exe

Filesize
8.8MB

MD5
be87e89689934468e1af12b5cf2aaf60

SHA1
5ee7a983412fe18f5b8d139894629a84cc78b61e

SHA256
ca24d609ad36c7b92ef03fe8b4d29d11406ac6864b2c0240ab32e9f621318af5

SHA512
4e37226db90e8f86819e4371d30d145c7ff7d24fbaf245101f36b036bbc232b7cee2d77132b851cf725f410b30646a3ce50a27431ef5faba77cbeaa10289eb65

Download Submit
C:\Program Files\cqehii\eitugkutrwrd.exe

Filesize
8.8MB

MD5
be87e89689934468e1af12b5cf2aaf60

SHA1
5ee7a983412fe18f5b8d139894629a84cc78b61e

SHA256
ca24d609ad36c7b92ef03fe8b4d29d11406ac6864b2c0240ab32e9f621318af5

SHA512
4e37226db90e8f86819e4371d30d145c7ff7d24fbaf245101f36b036bbc232b7cee2d77132b851cf725f410b30646a3ce50a27431ef5faba77cbeaa10289eb65

Download Submit
\Program Files\cqehii\eitugkutrwrd.exe

Filesize
8.8MB

MD5
be87e89689934468e1af12b5cf2aaf60

SHA1
5ee7a983412fe18f5b8d139894629a84cc78b61e

SHA256
ca24d609ad36c7b92ef03fe8b4d29d11406ac6864b2c0240ab32e9f621318af5

SHA512
4e37226db90e8f86819e4371d30d145c7ff7d24fbaf245101f36b036bbc232b7cee2d77132b851cf725f410b30646a3ce50a27431ef5faba77cbeaa10289eb65

Download Submit
\Program Files\cqehii\eitugkutrwrd.exe

Filesize
8.8MB

MD5
be87e89689934468e1af12b5cf2aaf60

SHA1
5ee7a983412fe18f5b8d139894629a84cc78b61e

SHA256
ca24d609ad36c7b92ef03fe8b4d29d11406ac6864b2c0240ab32e9f621318af5

SHA512
4e37226db90e8f86819e4371d30d145c7ff7d24fbaf245101f36b036bbc232b7cee2d77132b851cf725f410b30646a3ce50a27431ef5faba77cbeaa10289eb65

Download Submit
\Program Files\cqehii\eitugkutrwrd.exe

Filesize
8.8MB

MD5
be87e89689934468e1af12b5cf2aaf60

SHA1
5ee7a983412fe18f5b8d139894629a84cc78b61e

SHA256
ca24d609ad36c7b92ef03fe8b4d29d11406ac6864b2c0240ab32e9f621318af5

SHA512
4e37226db90e8f86819e4371d30d145c7ff7d24fbaf245101f36b036bbc232b7cee2d77132b851cf725f410b30646a3ce50a27431ef5faba77cbeaa10289eb65

Download Submit
\Program Files\cqehii\eitugkutrwrd.exe

Filesize
8.8MB

MD5
be87e89689934468e1af12b5cf2aaf60

SHA1
5ee7a983412fe18f5b8d139894629a84cc78b61e

SHA256
ca24d609ad36c7b92ef03fe8b4d29d11406ac6864b2c0240ab32e9f621318af5

SHA512
4e37226db90e8f86819e4371d30d145c7ff7d24fbaf245101f36b036bbc232b7cee2d77132b851cf725f410b30646a3ce50a27431ef5faba77cbeaa10289eb65

Download Submit
\Program Files\cqehii\eitugkutrwrd.exe

Filesize
8.8MB

MD5
be87e89689934468e1af12b5cf2aaf60

SHA1
5ee7a983412fe18f5b8d139894629a84cc78b61e

SHA256
ca24d609ad36c7b92ef03fe8b4d29d11406ac6864b2c0240ab32e9f621318af5

SHA512
4e37226db90e8f86819e4371d30d145c7ff7d24fbaf245101f36b036bbc232b7cee2d77132b851cf725f410b30646a3ce50a27431ef5faba77cbeaa10289eb65

Download Submit
memory/1356-59-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1356-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1356-57-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1356-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-56-0x00000000008E0000-0x000000000095B000-memory.dmp

Filesize
492KB

Download
memory/1356-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing