gh0strat | a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c

General

Target

a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
Size

24KB
MD5

fa4d9fbdc732b960d6574cd3c6b3ad8f
SHA1

54a593350ab7da76b95c2a6c09128ae68aab934b
SHA256

a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c
SHA512

cf598aab0a466ecf029a86df122bfda575895d9b2252d79cce8a951f7a2aded9a656c9fc7d17972017a5b973d1d4b861f54ed843ea45e134dec4bcbf57ad1fe3
SSDEEP

192:lf/82V/SYpHNn+e+eLPvVBplvV/gUoynRdsqonH6:1U2JSYpHNnJpFBx/17dtonH6

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1316-167-0x0000000010000000-0x000000001017B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
3840	LiveUpdate.exe
4316	LiveUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
4484	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001300000001db57-153.dat	upx
behavioral2/memory/3840-158-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/3840-159-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/3840-160-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/3840-174-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/files/0x001300000001db57-183.dat	upx
behavioral2/memory/4316-187-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4316-189-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4316-190-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4316-195-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3840 set thread context of 1316	3840	LiveUpdate.exe	91
PID 4316 set thread context of 1600	4316	LiveUpdate.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3060	1316	WerFault.exe	91
384	1600	WerFault.exe	103

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4484	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
4484	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
4484	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
4484	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4484	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
4484	a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
3840	LiveUpdate.exe
3840	LiveUpdate.exe
1316	cmd.exe
4316	LiveUpdate.exe
4316	LiveUpdate.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 3840 wrote to memory of 1316	3840	LiveUpdate.exe	91
PID 4316 wrote to memory of 1600	4316	LiveUpdate.exe	103
PID 4316 wrote to memory of 1600	4316	LiveUpdate.exe	103
PID 4316 wrote to memory of 1600	4316	LiveUpdate.exe	103
PID 4316 wrote to memory of 1600	4316	LiveUpdate.exe	103

C:\Users\Admin\AppData\Local\Temp\a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe
"C:\Users\Admin\AppData\Local\Temp\a8ee9833da3d82d630deed0134c8fb2379f8284bd29fed4c5b5b284af551c74c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4484

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 488
    3⤵
    - Program crash
    PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1316 -ip 1316
1⤵
PID:4876

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 80
    3⤵
    - Program crash
    PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1600 -ip 1600
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.txt

Filesize
1.1MB

MD5
99cb9755677981518e59ba049e4b2e5a

SHA1
35a7899576f5bb2f0a99ea69e03acd4f9b63f831

SHA256
c6ae5b595850ec9d142f00843b63162fd4c5921038d0febe7b76a973f64493ba

SHA512
12ac1e3bd58ca92b6ab059c973607a93f22e21f098e0b6e20584dbf0a64085d1f278f6402144023b6c71b48bc2c8db2cf2f7052afc81b1570962ae81952b6b74

Download Submit
C:\ProgramData\SqlVersion.dll

Filesize
932KB

MD5
08f1b7dc0f72ef52d7e190496e24d5b7

SHA1
57f00b052822a4a4b3be57d0d04d64c06e01043a

SHA256
304a6a5db26763f70092e7d953afa9665be541c5a993c641b2cc3e976e3c1e9b

SHA512
450b2cfd9b766fbaec82449154bc78b1a89137f85c7613e5ea5f74ee6d9f93589e1e84334b034600dff49c7758045cb07c587d18560705e6e700e0bcbd523b2a

Download Submit
C:\ProgramData\SqlVersion.dll

Filesize
932KB

MD5
08f1b7dc0f72ef52d7e190496e24d5b7

SHA1
57f00b052822a4a4b3be57d0d04d64c06e01043a

SHA256
304a6a5db26763f70092e7d953afa9665be541c5a993c641b2cc3e976e3c1e9b

SHA512
450b2cfd9b766fbaec82449154bc78b1a89137f85c7613e5ea5f74ee6d9f93589e1e84334b034600dff49c7758045cb07c587d18560705e6e700e0bcbd523b2a

Download Submit
C:\ProgramData\Thunder\LiveUpdate.dat

Filesize
36KB

MD5
f033471932cc558c5f7a25261967a97b

SHA1
8186d2f9ae0ea74f2214da3ad0a932e609f25052

SHA256
9ab9d6ed62410c38f7045e5fedb39457db70cbb47cf4d1293fa1ef7a24fea41e

SHA512
406665d8f77c810e9a19676416249b7159208935b541c9f4f21bec91f74093fa9b4d6acfe511c07d9496064e9e951259b8c98e163ce7c69eff492e307b3423ac

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe

Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe

Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_1\_TUProjDT.dat

Filesize
4B

MD5
bd74984124813a14a4b6794b4832c19d

SHA1
502ac30df476653c9c2189f97ade61919d132909

SHA256
c5d16bf49dfcd5b00c03ee20672285b953eb064de2927cce8628a42899ba3b91

SHA512
a9b757b43ac895e520087b28fc8fa7797b4dd29bd848b1159aed41cf065b10245e4ce055200e5cf3231f1558ed104735937de675aaacf7490dbc915d4d3d96eb

Download Submit
memory/1316-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1316-167-0x0000000010000000-0x000000001017B000-memory.dmp

Filesize
1.5MB

Download
memory/1316-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1316-173-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3840-174-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3840-160-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3840-161-0x0000000002D90000-0x0000000002D99000-memory.dmp

Filesize
36KB

Download
memory/3840-163-0x0000000002D90000-0x0000000002D99000-memory.dmp

Filesize
36KB

Download
memory/3840-159-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3840-158-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4316-187-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4316-189-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4316-190-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4316-195-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing