gh0strat | 8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4

General

Target

NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe
Size

10.1MB
MD5

0afb464d2654193dac667c26a24afbd0
SHA1

cc52ed0e0caba7a3dab7b40f4d06605205d8a9df
SHA256

8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4
SHA512

2290595bb7bc96b7d46ccce660c808bf58d18802e82f89407e6887d030e66ebe636c35fe917aed1c95f74387aab7c0f4a449f17749a8e58b8066b28c38ac4e5d
SSDEEP

6144:1IposGo+OMpe4HMHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHf:SpodaMo4Y

Score

10^/10

gh0strat rat upx

Malware Config

Extracted

Family

gh0strat

C2

127.0.0.1

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2264-1-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral1/memory/2588-10-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral1/memory/2588-17-0x0000000000400000-0x0000000000465000-memory.dmp	family_gh0strat
behavioral1/memory/2712-21-0x0000000000400000-0x0000000000465000-memory.dmp	family_gh0strat
behavioral1/memory/2264-22-0x0000000000400000-0x0000000000465000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2588	360 automatic update.bat
2712	360 automatic update.bat

Loads dropped DLL 1 IoCs

pid	Process
2588	360 automatic update.bat

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2264-0-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/files/0x00060000000120e4-8.dat	upx
behavioral1/files/0x00060000000120e4-9.dat	upx
behavioral1/files/0x00060000000120e4-13.dat	upx
behavioral1/memory/2712-16-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/files/0x00060000000120e4-15.dat	upx
behavioral1/memory/2588-17-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2712-21-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2264-22-0x0000000000400000-0x0000000000465000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\360 automatic update.bat	NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe
File created	C:\Windows\SysWOW64\360 automatic update.bat	NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2264	NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe
2264	NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe
2264	NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe
2588	360 automatic update.bat
2588	360 automatic update.bat
2588	360 automatic update.bat
2712	360 automatic update.bat
2712	360 automatic update.bat
2712	360 automatic update.bat

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2712	2588	360 automatic update.bat	29
PID 2588 wrote to memory of 2712	2588	360 automatic update.bat	29
PID 2588 wrote to memory of 2712	2588	360 automatic update.bat	29
PID 2588 wrote to memory of 2712	2588	360 automatic update.bat	29
PID 2588 wrote to memory of 2712	2588	360 automatic update.bat	29
PID 2588 wrote to memory of 2712	2588	360 automatic update.bat	29
PID 2588 wrote to memory of 2712	2588	360 automatic update.bat	29

C:\Users\Admin\AppData\Local\Temp\NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\SysWOW64\360 automatic update.bat
"C:\Windows\SysWOW64\360 automatic update.bat"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\360 automatic update.bat
  "C:\Windows\SysWOW64\360 automatic update.bat" Win7
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\360 automatic update.bat

Filesize
10.1MB

MD5
0afb464d2654193dac667c26a24afbd0

SHA1
cc52ed0e0caba7a3dab7b40f4d06605205d8a9df

SHA256
8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4

SHA512
2290595bb7bc96b7d46ccce660c808bf58d18802e82f89407e6887d030e66ebe636c35fe917aed1c95f74387aab7c0f4a449f17749a8e58b8066b28c38ac4e5d

Download Submit
C:\Windows\SysWOW64\360 automatic update.bat

Filesize
10.1MB

MD5
0afb464d2654193dac667c26a24afbd0

SHA1
cc52ed0e0caba7a3dab7b40f4d06605205d8a9df

SHA256
8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4

SHA512
2290595bb7bc96b7d46ccce660c808bf58d18802e82f89407e6887d030e66ebe636c35fe917aed1c95f74387aab7c0f4a449f17749a8e58b8066b28c38ac4e5d

Download Submit
C:\Windows\SysWOW64\360 automatic update.bat

Filesize
10.1MB

MD5
0afb464d2654193dac667c26a24afbd0

SHA1
cc52ed0e0caba7a3dab7b40f4d06605205d8a9df

SHA256
8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4

SHA512
2290595bb7bc96b7d46ccce660c808bf58d18802e82f89407e6887d030e66ebe636c35fe917aed1c95f74387aab7c0f4a449f17749a8e58b8066b28c38ac4e5d

Download Submit
\Windows\SysWOW64\360 automatic update.bat

Filesize
10.1MB

MD5
0afb464d2654193dac667c26a24afbd0

SHA1
cc52ed0e0caba7a3dab7b40f4d06605205d8a9df

SHA256
8dc7625de7e66a1387caa9f6219533db636dcb1b26d77a8a868029c904f729c4

SHA512
2290595bb7bc96b7d46ccce660c808bf58d18802e82f89407e6887d030e66ebe636c35fe917aed1c95f74387aab7c0f4a449f17749a8e58b8066b28c38ac4e5d

Download Submit
memory/2264-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2264-1-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2264-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2588-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2588-14-0x0000000001EE0000-0x0000000001F45000-memory.dmp

Filesize
404KB

Download
memory/2588-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2712-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2712-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing