gh0strat | d3d68d7b09e5f02219129c961513b2ce084d13f0a3bdb9d1c7898fab18426df6

General

Target

e.exe
Size

3.7MB
MD5

569aaee0d37aaf2cc146f8365fbfee0f
SHA1

abd07815d8c40c711a0a2dba8ed07b8f7c4d6ca7
SHA256

d3d68d7b09e5f02219129c961513b2ce084d13f0a3bdb9d1c7898fab18426df6
SHA512

1e59961fe4f89e014ad740a8df52925d63277be30874b7a46225b533028447dc0168ef3c83861b1174de5a72db9d3b135732860e26dfcd43cc74aef1c1884ea7
SSDEEP

98304:AI8xdgcmkuT93Cvmtud9LS51a+FsffmzSvV5/JbPPMYZAvl:AI8/gcYEVdFfmzSvV5/xUY2N

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2476-34-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral2/memory/2476-33-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral2/memory/2476-37-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral2/memory/2476-38-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

render.exerender.exe

pid process

2476 render.exe
3448 render.exe
Loads dropped DLL 2 IoCs

Processes:

render.exerender.exe

pid process

2476 render.exe
3448 render.exe

pid	process
2476	render.exe
3448	render.exe

pid	process
2476	render.exe
3448	render.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2476-30-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2476-34-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2476-33-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2476-37-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2476-38-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

e.exerender.exe

pid	process
4244	e.exe
4244	e.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe
2476	render.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e.exe

pid process

4244 e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e.exerender.exe

description	pid	process	target process
PID 4244 wrote to memory of 2476	4244	e.exe	render.exe
PID 4244 wrote to memory of 2476	4244	e.exe	render.exe
PID 4244 wrote to memory of 2476	4244	e.exe	render.exe
PID 2476 wrote to memory of 3448	2476	render.exe	render.exe
PID 2476 wrote to memory of 3448	2476	render.exe	render.exe
PID 2476 wrote to memory of 3448	2476	render.exe	render.exe

C:\Users\Admin\AppData\Local\Temp\e.exe
"C:\Users\Admin\AppData\Local\Temp\e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244

C:\recovery\render.exe
"C:\recovery\render.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476

C:\recovery\render.exe
C:\recovery\render.exe --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=书生ERP --annotation=ver=-devel --handshake-handle=0x1f8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\a6.txt

Filesize
1KB

MD5
b88a95ec3224ecf4ebcb53be37a31402

SHA1
72d4e42691713d59d4b698a274b0ac61d17b1e66

SHA256
d64f765ea386b9dea471488c9de23eb6cff908a88c3c72bd7de1a5247dcb8a3b

SHA512
38b0c1622a3d4ea6afeb2ff09067f18ec8a82038d037ca50fe13883e98799cc3216baba3713098ceb06887f13498ecdec7a5e6d450ada34591a9288d06a8c117

Download Submit
C:\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
6a2ed4fb22a684592075544a049c6bc8

SHA1
289fa98f8852b35922689b505d771d6da37bac36

SHA256
6dd3ca7f5bee3e18a3c0b5e7b165ef9eea50c9743b9d4ba1ac926b92dad3a4dc

SHA512
edde8396639f734618f73d7ecb4013ed70e4ea738487a5b7ef19a4fe549b75572ac2f630a1d7c42fb84239c3f97cab2c8b46e5866587856a96b965704105467e

Download Submit
C:\recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
\Recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
\Recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
memory/2476-28-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2476-29-0x00000000007D0000-0x000000000081E000-memory.dmp

Filesize
312KB

Download
memory/2476-30-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2476-34-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2476-33-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2476-37-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2476-38-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4244-6-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/4244-11-0x0000000000970000-0x000000000098E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads