gh0strat | 1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e

General

Target

1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
Size

404KB
MD5

afb32c288fb7bb31154a40f38d7ecdc5
SHA1

57ce4792da716b0b25d1f56a275e42b1d514e03b
SHA256

1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e
SHA512

127ff706cbf39876775ba31d85963445f242b50c99a3f8e2060b4b19798066461740318414107d1fa1007cadc829a417090ff78b1ed67a820597c132a7a4a918
SSDEEP

3072:MSK/yLrQbWaR5Qax8c/Yteyxy+Pb9gcamf/w5vtc009w60wbGC0XaMO:MtyLEbWaR5CcmTPb9gc16LKLbwah

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

C2

198.44.185.242

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1724-0-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2316	Yiigkau.exe
2548	Yiigkau.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	Yiigkau.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\V:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\X:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\E:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\L:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\Y:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\Z:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\S:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\U:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\J:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\K:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\N:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\Q:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\R:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\G:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\H:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\O:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\P:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\T:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\W:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\B:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened (read-only)	\??\I:	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Yiigkau.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Yiigkau.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Yiigkau.exe	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
File opened for modification	C:\Program Files (x86)\Yiigkau.exe	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Yiigkau.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Yiigkau.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Yiigkau.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Yiigkau.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Yiigkau.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Yiigkau.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Yiigkau.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Yiigkau.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Yiigkau.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Yiigkau.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Yiigkau.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Yiigkau.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Yiigkau.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Yiigkau.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Yiigkau.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Yiigkau.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Yiigkau.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1724	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
1724	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
1724	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
2316	Yiigkau.exe
2316	Yiigkau.exe
2316	Yiigkau.exe
2548	Yiigkau.exe
2548	Yiigkau.exe
2548	Yiigkau.exe
1724	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1724	1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2548	2316	Yiigkau.exe	31
PID 2316 wrote to memory of 2548	2316	Yiigkau.exe	31
PID 2316 wrote to memory of 2548	2316	Yiigkau.exe	31
PID 2316 wrote to memory of 2548	2316	Yiigkau.exe	31

C:\Users\Admin\AppData\Local\Temp\1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe
"C:\Users\Admin\AppData\Local\Temp\1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1724

C:\Program Files (x86)\Yiigkau.exe
"C:\Program Files (x86)\Yiigkau.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Yiigkau.exe
  "C:\Program Files (x86)\Yiigkau.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Yiigkau.exe

Filesize
404KB

MD5
afb32c288fb7bb31154a40f38d7ecdc5

SHA1
57ce4792da716b0b25d1f56a275e42b1d514e03b

SHA256
1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e

SHA512
127ff706cbf39876775ba31d85963445f242b50c99a3f8e2060b4b19798066461740318414107d1fa1007cadc829a417090ff78b1ed67a820597c132a7a4a918

Download Submit
C:\Program Files (x86)\Yiigkau.exe

Filesize
404KB

MD5
afb32c288fb7bb31154a40f38d7ecdc5

SHA1
57ce4792da716b0b25d1f56a275e42b1d514e03b

SHA256
1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e

SHA512
127ff706cbf39876775ba31d85963445f242b50c99a3f8e2060b4b19798066461740318414107d1fa1007cadc829a417090ff78b1ed67a820597c132a7a4a918

Download Submit
C:\Program Files (x86)\Yiigkau.exe

Filesize
404KB

MD5
afb32c288fb7bb31154a40f38d7ecdc5

SHA1
57ce4792da716b0b25d1f56a275e42b1d514e03b

SHA256
1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e

SHA512
127ff706cbf39876775ba31d85963445f242b50c99a3f8e2060b4b19798066461740318414107d1fa1007cadc829a417090ff78b1ed67a820597c132a7a4a918

Download Submit
\Program Files (x86)\Yiigkau.exe

Filesize
404KB

MD5
afb32c288fb7bb31154a40f38d7ecdc5

SHA1
57ce4792da716b0b25d1f56a275e42b1d514e03b

SHA256
1d3af32636fd8cf0abb6e459ae9616a69d7ce8b4ff54fb06bb9d104c9d457d4e

SHA512
127ff706cbf39876775ba31d85963445f242b50c99a3f8e2060b4b19798066461740318414107d1fa1007cadc829a417090ff78b1ed67a820597c132a7a4a918

Download Submit
memory/1724-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads